[selinux-policy/f18] * Thu Nov 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-31 - Add new mandb policy - ALlow systemd
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Oct 4 14:44:55 UTC 2012
commit d8f678cd1723d2bc7b10fde99ef8cbd46898ac7f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Oct 4 16:44:40 2012 +0200
* Thu Nov 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-31
- Add new mandb policy
- ALlow systemd-tmpfiles_t to relabel mandb_cache_t
- Allow logrotate to start all unit files
modules-mls-contrib.conf | 6 +
modules-targeted-contrib.conf | 13 +
policy-rawhide.patch |43310 ++++++++++++++++++++++++-----------------
policy_contrib-rawhide.patch | 595 +-
selinux-policy.spec | 7 +-
5 files changed, 26384 insertions(+), 17547 deletions(-)
---
diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf
index 59b75c8..68a2a57 100644
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
@@ -1664,3 +1664,9 @@ zebra = module
#
zosremote = module
+# Layer: contrib
+# Module: mandb
+#
+# Policy for mandb
+#
+mandb = module
diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index a0e1af0..665d9cf 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -2230,3 +2230,16 @@ zoneminder = module
#
zosremote = module
+# Layer: contrib
+# Module: thin
+#
+# Policy for thin
+#
+thin = module
+
+# Layer: contrib
+# Module: mandb
+#
+# Policy for mandb
+#
+mandb = module
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index e5096be..07c17e3 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -60,33 +60,46 @@ index 313d837..ef3c532 100644
########################################
diff --git a/man/man8/NetworkManager_selinux.8 b/man/man8/NetworkManager_selinux.8
new file mode 100644
-index 0000000..e51741e
+index 0000000..65c8768
--- /dev/null
+++ b/man/man8/NetworkManager_selinux.8
-@@ -0,0 +1,303 @@
+@@ -0,0 +1,314 @@
+.TH "NetworkManager_selinux" "8" "NetworkManager" "dwalsh at redhat.com" "NetworkManager SELinux Policy documentation"
+.SH "NAME"
+NetworkManager_selinux \- Security Enhanced Linux Policy for the NetworkManager processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the NetworkManager processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the NetworkManager processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The NetworkManager processes execute with the NetworkManager_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the NetworkManager_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep NetworkManager_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The NetworkManager_t SELinux type can be entered via the "NetworkManager_exec_t" file type. The default entrypoint paths for the NetworkManager_t domain are the following:"
++
++/usr/s?bin/wpa_supplicant, /usr/sbin/wpa_supplicant, /sbin/wpa_supplicant, /usr/sbin/nm-system-settings, /usr/sbin/wicd, /usr/s?bin/NetworkManager, /usr/sbin/NetworkManagerDispatcher
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the NetworkManager_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux NetworkManager policy is very flexible allowing users to setup their NetworkManager processes in as secure a method as possible.
++.PP
++The following process types are defined for NetworkManager:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B NetworkManager_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -202,27 +215,9 @@ index 0000000..e51741e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux NetworkManager policy is very flexible allowing users to setup their NetworkManager processes in as secure a method as possible.
-+.PP
-+The following process types are defined for NetworkManager:
-+
-+.EX
-+.B NetworkManager_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type NetworkManager_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type NetworkManager_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B NetworkManager_etc_rw_t
@@ -348,6 +343,22 @@ index 0000000..e51741e
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the NetworkManager_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the NetworkManager_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -369,19 +380,46 @@ index 0000000..e51741e
+selinux(8), NetworkManager(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/abrt_dump_oops_selinux.8 b/man/man8/abrt_dump_oops_selinux.8
new file mode 100644
-index 0000000..d2f55bd
+index 0000000..71f34f5
--- /dev/null
+++ b/man/man8/abrt_dump_oops_selinux.8
-@@ -0,0 +1,88 @@
+@@ -0,0 +1,99 @@
+.TH "abrt_dump_oops_selinux" "8" "abrt_dump_oops" "dwalsh at redhat.com" "abrt_dump_oops SELinux Policy documentation"
+.SH "NAME"
+abrt_dump_oops_selinux \- Security Enhanced Linux Policy for the abrt_dump_oops processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the abrt_dump_oops processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the abrt_dump_oops processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The abrt_dump_oops processes execute with the abrt_dump_oops_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_dump_oops_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_dump_oops_t SELinux type can be entered via the "abrt_dump_oops_exec_t" file type. The default entrypoint paths for the abrt_dump_oops_t domain are the following:"
++
++/usr/bin/abrt-dump-oops
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_dump_oops policy is very flexible allowing users to setup their abrt_dump_oops processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_dump_oops:
++
++.EX
++.B abrt_dump_oops_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -409,27 +447,9 @@ index 0000000..d2f55bd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_dump_oops policy is very flexible allowing users to setup their abrt_dump_oops processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_dump_oops:
-+
-+.EX
-+.B abrt_dump_oops_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type abrt_dump_oops_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type abrt_dump_oops_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B abrt_var_cache_t
@@ -441,6 +461,8 @@ index 0000000..d2f55bd
+ /var/cache/abrt-di(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -460,21 +482,50 @@ index 0000000..d2f55bd
+
+.SH "SEE ALSO"
+selinux(8), abrt_dump_oops(8), semanage(8), restorecon(8), chcon(1)
-+, abrt_selinux(8)
++, abrt_selinux(8), abrt_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
\ No newline at end of file
diff --git a/man/man8/abrt_handle_event_selinux.8 b/man/man8/abrt_handle_event_selinux.8
new file mode 100644
-index 0000000..c2e2d63
+index 0000000..a82360a
--- /dev/null
+++ b/man/man8/abrt_handle_event_selinux.8
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,103 @@
+.TH "abrt_handle_event_selinux" "8" "abrt_handle_event" "dwalsh at redhat.com" "abrt_handle_event SELinux Policy documentation"
+.SH "NAME"
+abrt_handle_event_selinux \- Security Enhanced Linux Policy for the abrt_handle_event processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the abrt_handle_event processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the abrt_handle_event processes via flexible mandatory access control.
++
++The abrt_handle_event processes execute with the abrt_handle_event_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_handle_event_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_handle_event_t SELinux type can be entered via the "abrt_handle_event_exec_t" file type. The default entrypoint paths for the abrt_handle_event_t domain are the following:"
++
++/usr/libexec/abrt-handle-event
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_handle_event policy is very flexible allowing users to setup their abrt_handle_event processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_handle_event:
++
++.EX
++.B abrt_handle_event_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. abrt_handle_event policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt_handle_event with the tightest access possible.
@@ -487,8 +538,6 @@ index 0000000..c2e2d63
+.B setsebool -P abrt_handle_event 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -515,27 +564,11 @@ index 0000000..c2e2d63
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_handle_event policy is very flexible allowing users to setup their abrt_handle_event processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_handle_event:
-+
-+.EX
-+.B abrt_handle_event_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type abrt_handle_event_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type abrt_handle_event_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -559,37 +592,50 @@ index 0000000..c2e2d63
+
+.SH "SEE ALSO"
+selinux(8), abrt_handle_event(8), semanage(8), restorecon(8), chcon(1)
-+, setsebool(8), abrt_selinux(8)
++, setsebool(8), abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
\ No newline at end of file
diff --git a/man/man8/abrt_helper_selinux.8 b/man/man8/abrt_helper_selinux.8
new file mode 100644
-index 0000000..56365e4
+index 0000000..6208ba6
--- /dev/null
+++ b/man/man8/abrt_helper_selinux.8
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,113 @@
+.TH "abrt_helper_selinux" "8" "abrt_helper" "dwalsh at redhat.com" "abrt_helper SELinux Policy documentation"
+.SH "NAME"
+abrt_helper_selinux \- Security Enhanced Linux Policy for the abrt_helper processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the abrt_helper processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the abrt_helper processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The abrt_helper processes execute with the abrt_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the abrt_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep abrt_helper_t
++
++
++.SH "ENTRYPOINTS"
+
++The abrt_helper_t SELinux type can be entered via the "abrt_helper_exec_t" file type. The default entrypoint paths for the abrt_helper_t domain are the following:"
++
++/usr/bin/abrt-pyhook-helper
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the abrt_helper_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_helper policy is very flexible allowing users to setup their abrt_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_helper:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B abrt_helper_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -617,27 +663,9 @@ index 0000000..56365e4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_helper policy is very flexible allowing users to setup their abrt_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_helper:
-+
-+.EX
-+.B abrt_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type abrt_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type abrt_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B abrt_var_cache_t
@@ -649,6 +677,22 @@ index 0000000..56365e4
+ /var/cache/abrt-di(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the abrt_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the abrt_helper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -668,23 +712,50 @@ index 0000000..56365e4
+
+.SH "SEE ALSO"
+selinux(8), abrt_helper(8), semanage(8), restorecon(8), chcon(1)
-+, abrt_selinux(8)
++, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
\ No newline at end of file
diff --git a/man/man8/abrt_retrace_coredump_selinux.8 b/man/man8/abrt_retrace_coredump_selinux.8
new file mode 100644
-index 0000000..1d9fb22
+index 0000000..f252940
--- /dev/null
+++ b/man/man8/abrt_retrace_coredump_selinux.8
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,113 @@
+.TH "abrt_retrace_coredump_selinux" "8" "abrt_retrace_coredump" "dwalsh at redhat.com" "abrt_retrace_coredump SELinux Policy documentation"
+.SH "NAME"
+abrt_retrace_coredump_selinux \- Security Enhanced Linux Policy for the abrt_retrace_coredump processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the abrt_retrace_coredump processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the abrt_retrace_coredump processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The abrt_retrace_coredump processes execute with the abrt_retrace_coredump_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_retrace_coredump_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_retrace_coredump_t SELinux type can be entered via the "abrt_retrace_coredump_exec_t" file type. The default entrypoint paths for the abrt_retrace_coredump_t domain are the following:"
++
++/usr/bin/coredump2packages
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_retrace_coredump policy is very flexible allowing users to setup their abrt_retrace_coredump processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_retrace_coredump:
++
++.EX
++.B abrt_retrace_coredump_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -712,27 +783,9 @@ index 0000000..1d9fb22
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_retrace_coredump policy is very flexible allowing users to setup their abrt_retrace_coredump processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_retrace_coredump:
-+
-+.EX
-+.B abrt_retrace_coredump_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type abrt_retrace_coredump_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type abrt_retrace_coredump_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B rpm_log_t
@@ -758,6 +811,8 @@ index 0000000..1d9fb22
+ /var/run/PackageKit(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -777,23 +832,50 @@ index 0000000..1d9fb22
+
+.SH "SEE ALSO"
+selinux(8), abrt_retrace_coredump(8), semanage(8), restorecon(8), chcon(1)
-+, abrt_selinux(8)
++, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8)
\ No newline at end of file
diff --git a/man/man8/abrt_retrace_worker_selinux.8 b/man/man8/abrt_retrace_worker_selinux.8
new file mode 100644
-index 0000000..17c61c7
+index 0000000..2f3db29
--- /dev/null
+++ b/man/man8/abrt_retrace_worker_selinux.8
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,101 @@
+.TH "abrt_retrace_worker_selinux" "8" "abrt_retrace_worker" "dwalsh at redhat.com" "abrt_retrace_worker SELinux Policy documentation"
+.SH "NAME"
+abrt_retrace_worker_selinux \- Security Enhanced Linux Policy for the abrt_retrace_worker processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the abrt_retrace_worker processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the abrt_retrace_worker processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The abrt_retrace_worker processes execute with the abrt_retrace_worker_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_retrace_worker_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_retrace_worker_t SELinux type can be entered via the "abrt_retrace_worker_exec_t" file type. The default entrypoint paths for the abrt_retrace_worker_t domain are the following:"
++
++/usr/bin/retrace-server-worker, /usr/bin/abrt-retrace-worker
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_retrace_worker policy is very flexible allowing users to setup their abrt_retrace_worker processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_retrace_worker:
++
++.EX
++.B abrt_retrace_worker_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -825,27 +907,9 @@ index 0000000..17c61c7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_retrace_worker policy is very flexible allowing users to setup their abrt_retrace_worker processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_retrace_worker:
-+
-+.EX
-+.B abrt_retrace_worker_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type abrt_retrace_worker_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type abrt_retrace_worker_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B abrt_retrace_spool_t
@@ -855,6 +919,8 @@ index 0000000..17c61c7
+ /var/spool/retrace-server(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -874,47 +940,60 @@ index 0000000..17c61c7
+
+.SH "SEE ALSO"
+selinux(8), abrt_retrace_worker(8), semanage(8), restorecon(8), chcon(1)
-+, abrt_selinux(8)
++, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_watch_log_selinux(8)
\ No newline at end of file
diff --git a/man/man8/abrt_selinux.8 b/man/man8/abrt_selinux.8
new file mode 100644
-index 0000000..33e1057
+index 0000000..8eb7d9a
--- /dev/null
+++ b/man/man8/abrt_selinux.8
-@@ -0,0 +1,344 @@
+@@ -0,0 +1,355 @@
+.TH "abrt_selinux" "8" "abrt" "dwalsh at redhat.com" "abrt SELinux Policy documentation"
+.SH "NAME"
+abrt_selinux \- Security Enhanced Linux Policy for the abrt processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the abrt processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the abrt processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. abrt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt with the tightest access possible.
++The abrt processes execute with the abrt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean.
++.B ps -eZ | grep abrt_t
+
-+.EX
-+.B setsebool -P abrt_handle_event 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The abrt_t SELinux type can be entered via the "abrt_exec_t" file type. The default entrypoint paths for the abrt_t domain are the following:"
+
++/usr/sbin/abrtd, /usr/sbin/abrt-dbus
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the abrt_helper_t, abrt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt policy is very flexible allowing users to setup their abrt processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B abrt_handle_event_t, abrt_helper_t, abrt_retrace_coredump_t, abrt_t, abrt_retrace_worker_t, abrt_dump_oops_t, abrt_watch_log_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. abrt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the abrt_helper_t, abrt_t, you must turn on the kerberos_enabled boolean.
++If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P abrt_handle_event 1
+.EE
+
+.SH SHARING FILES
@@ -1113,27 +1192,9 @@ index 0000000..33e1057
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt policy is very flexible allowing users to setup their abrt processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt:
-+
-+.EX
-+.B abrt_handle_event_t, abrt_helper_t, abrt_retrace_coredump_t, abrt_t, abrt_retrace_worker_t, abrt_dump_oops_t, abrt_watch_log_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type abrt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type abrt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B abrt_etc_t
@@ -1203,6 +1264,22 @@ index 0000000..33e1057
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the abrt_helper_t, abrt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the abrt_helper_t, abrt_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -1229,19 +1306,46 @@ index 0000000..33e1057
\ No newline at end of file
diff --git a/man/man8/abrt_watch_log_selinux.8 b/man/man8/abrt_watch_log_selinux.8
new file mode 100644
-index 0000000..a45e2d0
+index 0000000..110e3c9
--- /dev/null
+++ b/man/man8/abrt_watch_log_selinux.8
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,89 @@
+.TH "abrt_watch_log_selinux" "8" "abrt_watch_log" "dwalsh at redhat.com" "abrt_watch_log SELinux Policy documentation"
+.SH "NAME"
+abrt_watch_log_selinux \- Security Enhanced Linux Policy for the abrt_watch_log processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the abrt_watch_log processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the abrt_watch_log processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The abrt_watch_log processes execute with the abrt_watch_log_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep abrt_watch_log_t
++
++
++.SH "ENTRYPOINTS"
++
++The abrt_watch_log_t SELinux type can be entered via the "abrt_watch_log_exec_t" file type. The default entrypoint paths for the abrt_watch_log_t domain are the following:"
++
++/usr/bin/abrt-watch-log
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux abrt_watch_log policy is very flexible allowing users to setup their abrt_watch_log processes in as secure a method as possible.
++.PP
++The following process types are defined for abrt_watch_log:
++
++.EX
++.B abrt_watch_log_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -1269,27 +1373,11 @@ index 0000000..a45e2d0
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux abrt_watch_log policy is very flexible allowing users to setup their abrt_watch_log processes in as secure a method as possible.
-+.PP
-+The following process types are defined for abrt_watch_log:
-+
-+.EX
-+.B abrt_watch_log_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type abrt_watch_log_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type abrt_watch_log_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -1310,37 +1398,50 @@ index 0000000..a45e2d0
+
+.SH "SEE ALSO"
+selinux(8), abrt_watch_log(8), semanage(8), restorecon(8), chcon(1)
-+, abrt_selinux(8)
++, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8)
\ No newline at end of file
diff --git a/man/man8/accountsd_selinux.8 b/man/man8/accountsd_selinux.8
new file mode 100644
-index 0000000..a7f9019
+index 0000000..dd7fc21
--- /dev/null
+++ b/man/man8/accountsd_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,130 @@
+.TH "accountsd_selinux" "8" "accountsd" "dwalsh at redhat.com" "accountsd SELinux Policy documentation"
+.SH "NAME"
+accountsd_selinux \- Security Enhanced Linux Policy for the accountsd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the accountsd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the accountsd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The accountsd processes execute with the accountsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the accountsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep accountsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The accountsd_t SELinux type can be entered via the "accountsd_exec_t" file type. The default entrypoint paths for the accountsd_t domain are the following:"
+
++/usr/libexec/accounts-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the accountsd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux accountsd policy is very flexible allowing users to setup their accountsd processes in as secure a method as possible.
++.PP
++The following process types are defined for accountsd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B accountsd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -1384,27 +1485,9 @@ index 0000000..a7f9019
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux accountsd policy is very flexible allowing users to setup their accountsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for accountsd:
-+
-+.EX
-+.B accountsd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type accountsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type accountsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B accountsd_var_lib_t
@@ -1418,6 +1501,22 @@ index 0000000..a7f9019
+ /etc/[mg]dm(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the accountsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the accountsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -1439,33 +1538,46 @@ index 0000000..a7f9019
+selinux(8), accountsd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/acct_selinux.8 b/man/man8/acct_selinux.8
new file mode 100644
-index 0000000..97627b3
+index 0000000..f6eba23
--- /dev/null
+++ b/man/man8/acct_selinux.8
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,132 @@
+.TH "acct_selinux" "8" "acct" "dwalsh at redhat.com" "acct SELinux Policy documentation"
+.SH "NAME"
+acct_selinux \- Security Enhanced Linux Policy for the acct processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the acct processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the acct processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The acct processes execute with the acct_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the acct_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep acct_t
+
++
++.SH "ENTRYPOINTS"
++
++The acct_t SELinux type can be entered via the "acct_exec_t" file type. The default entrypoint paths for the acct_t domain are the following:"
++
++/usr/sbin/accton, /sbin/accton, /etc/cron\.(daily|monthly)/acct
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the acct_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux acct policy is very flexible allowing users to setup their acct processes in as secure a method as possible.
++.PP
++The following process types are defined for acct:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B acct_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -1509,27 +1621,9 @@ index 0000000..97627b3
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux acct policy is very flexible allowing users to setup their acct processes in as secure a method as possible.
-+.PP
-+The following process types are defined for acct:
-+
-+.EX
-+.B acct_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type acct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type acct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B acct_data_t
@@ -1545,6 +1639,22 @@ index 0000000..97627b3
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the acct_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the acct_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -1566,19 +1676,46 @@ index 0000000..97627b3
+selinux(8), acct(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/afs_bosserver_selinux.8 b/man/man8/afs_bosserver_selinux.8
new file mode 100644
-index 0000000..90e61be
+index 0000000..49d6a56
--- /dev/null
+++ b/man/man8/afs_bosserver_selinux.8
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,103 @@
+.TH "afs_bosserver_selinux" "8" "afs_bosserver" "dwalsh at redhat.com" "afs_bosserver SELinux Policy documentation"
+.SH "NAME"
+afs_bosserver_selinux \- Security Enhanced Linux Policy for the afs_bosserver processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the afs_bosserver processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the afs_bosserver processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The afs_bosserver processes execute with the afs_bosserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_bosserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_bosserver_t SELinux type can be entered via the "afs_bosserver_exec_t" file type. The default entrypoint paths for the afs_bosserver_t domain are the following:"
++
++/usr/afs/bin/bosserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs_bosserver policy is very flexible allowing users to setup their afs_bosserver processes in as secure a method as possible.
++.PP
++The following process types are defined for afs_bosserver:
++
++.EX
++.B afs_bosserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -1606,27 +1743,9 @@ index 0000000..90e61be
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs_bosserver policy is very flexible allowing users to setup their afs_bosserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs_bosserver:
-+
-+.EX
-+.B afs_bosserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type afs_bosserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type afs_bosserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B afs_config_t
@@ -1642,6 +1761,8 @@ index 0000000..90e61be
+ /usr/afs/logs(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -1661,23 +1782,50 @@ index 0000000..90e61be
+
+.SH "SEE ALSO"
+selinux(8), afs_bosserver(8), semanage(8), restorecon(8), chcon(1)
-+, afs_selinux(8)
++, afs_selinux(8), afs_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8)
\ No newline at end of file
diff --git a/man/man8/afs_fsserver_selinux.8 b/man/man8/afs_fsserver_selinux.8
new file mode 100644
-index 0000000..f5dc397
+index 0000000..2ece7ee
--- /dev/null
+++ b/man/man8/afs_fsserver_selinux.8
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,117 @@
+.TH "afs_fsserver_selinux" "8" "afs_fsserver" "dwalsh at redhat.com" "afs_fsserver SELinux Policy documentation"
+.SH "NAME"
+afs_fsserver_selinux \- Security Enhanced Linux Policy for the afs_fsserver processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the afs_fsserver processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the afs_fsserver processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The afs_fsserver processes execute with the afs_fsserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_fsserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_fsserver_t SELinux type can be entered via the "afs_fsserver_exec_t" file type. The default entrypoint paths for the afs_fsserver_t domain are the following:"
++
++/usr/afs/bin/volserver, /usr/afs/bin/fileserver, /usr/afs/bin/salvager
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs_fsserver policy is very flexible allowing users to setup their afs_fsserver processes in as secure a method as possible.
++.PP
++The following process types are defined for afs_fsserver:
++
++.EX
++.B afs_fsserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -1709,27 +1857,9 @@ index 0000000..f5dc397
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs_fsserver policy is very flexible allowing users to setup their afs_fsserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs_fsserver:
-+
-+.EX
-+.B afs_fsserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type afs_fsserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type afs_fsserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B afs_config_t
@@ -1755,6 +1885,8 @@ index 0000000..f5dc397
+ /usr/afs/logs(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -1774,23 +1906,50 @@ index 0000000..f5dc397
+
+.SH "SEE ALSO"
+selinux(8), afs_fsserver(8), semanage(8), restorecon(8), chcon(1)
-+, afs_selinux(8)
++, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8)
\ No newline at end of file
diff --git a/man/man8/afs_kaserver_selinux.8 b/man/man8/afs_kaserver_selinux.8
new file mode 100644
-index 0000000..90dff0f
+index 0000000..8e77b36
--- /dev/null
+++ b/man/man8/afs_kaserver_selinux.8
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,109 @@
+.TH "afs_kaserver_selinux" "8" "afs_kaserver" "dwalsh at redhat.com" "afs_kaserver SELinux Policy documentation"
+.SH "NAME"
+afs_kaserver_selinux \- Security Enhanced Linux Policy for the afs_kaserver processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the afs_kaserver processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the afs_kaserver processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The afs_kaserver processes execute with the afs_kaserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_kaserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_kaserver_t SELinux type can be entered via the "afs_kaserver_exec_t" file type. The default entrypoint paths for the afs_kaserver_t domain are the following:"
++
++/usr/afs/bin/kaserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs_kaserver policy is very flexible allowing users to setup their afs_kaserver processes in as secure a method as possible.
++.PP
++The following process types are defined for afs_kaserver:
++
++.EX
++.B afs_kaserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -1818,27 +1977,9 @@ index 0000000..90dff0f
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs_kaserver policy is very flexible allowing users to setup their afs_kaserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs_kaserver:
-+
-+.EX
-+.B afs_kaserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type afs_kaserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type afs_kaserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B afs_config_t
@@ -1860,6 +2001,8 @@ index 0000000..90dff0f
+ /usr/afs/logs(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -1879,23 +2022,50 @@ index 0000000..90dff0f
+
+.SH "SEE ALSO"
+selinux(8), afs_kaserver(8), semanage(8), restorecon(8), chcon(1)
-+, afs_selinux(8)
++, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8)
\ No newline at end of file
diff --git a/man/man8/afs_ptserver_selinux.8 b/man/man8/afs_ptserver_selinux.8
new file mode 100644
-index 0000000..bea0cdc
+index 0000000..72ef400
--- /dev/null
+++ b/man/man8/afs_ptserver_selinux.8
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,101 @@
+.TH "afs_ptserver_selinux" "8" "afs_ptserver" "dwalsh at redhat.com" "afs_ptserver SELinux Policy documentation"
+.SH "NAME"
+afs_ptserver_selinux \- Security Enhanced Linux Policy for the afs_ptserver processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the afs_ptserver processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the afs_ptserver processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The afs_ptserver processes execute with the afs_ptserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_ptserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_ptserver_t SELinux type can be entered via the "afs_ptserver_exec_t" file type. The default entrypoint paths for the afs_ptserver_t domain are the following:"
++
++/usr/afs/bin/ptserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs_ptserver policy is very flexible allowing users to setup their afs_ptserver processes in as secure a method as possible.
++.PP
++The following process types are defined for afs_ptserver:
++
++.EX
++.B afs_ptserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -1923,27 +2093,9 @@ index 0000000..bea0cdc
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs_ptserver policy is very flexible allowing users to setup their afs_ptserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs_ptserver:
-+
-+.EX
-+.B afs_ptserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type afs_ptserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type afs_ptserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B afs_logfile_t
@@ -1957,6 +2109,8 @@ index 0000000..bea0cdc
+ /usr/afs/db/pr.*
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -1976,23 +2130,50 @@ index 0000000..bea0cdc
+
+.SH "SEE ALSO"
+selinux(8), afs_ptserver(8), semanage(8), restorecon(8), chcon(1)
-+, afs_selinux(8)
++, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_vlserver_selinux(8)
\ No newline at end of file
diff --git a/man/man8/afs_selinux.8 b/man/man8/afs_selinux.8
new file mode 100644
-index 0000000..0d835e4
+index 0000000..4fcd18a
--- /dev/null
+++ b/man/man8/afs_selinux.8
-@@ -0,0 +1,363 @@
+@@ -0,0 +1,374 @@
+.TH "afs_selinux" "8" "afs" "dwalsh at redhat.com" "afs SELinux Policy documentation"
+.SH "NAME"
+afs_selinux \- Security Enhanced Linux Policy for the afs processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the afs processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the afs processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The afs processes execute with the afs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_t SELinux type can be entered via the "afs_exec_t" file type. The default entrypoint paths for the afs_t domain are the following:"
++
++/usr/vice/etc/afsd, /usr/sbin/afsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible.
++.PP
++The following process types are defined for afs:
++
++.EX
++.B afs_kaserver_t, afs_t, afs_fsserver_t, afs_bosserver_t, afs_vlserver_t, afs_ptserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -2236,27 +2417,9 @@ index 0000000..0d835e4
+Default Defined Ports:
+udp 7003
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs:
-+
-+.EX
-+.B afs_kaserver_t, afs_t, afs_fsserver_t, afs_bosserver_t, afs_vlserver_t, afs_ptserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type afs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type afs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B afs_cache_t
@@ -2324,6 +2487,8 @@ index 0000000..0d835e4
+.B unlabeled_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -2350,19 +2515,46 @@ index 0000000..0d835e4
\ No newline at end of file
diff --git a/man/man8/afs_vlserver_selinux.8 b/man/man8/afs_vlserver_selinux.8
new file mode 100644
-index 0000000..6670bfa
+index 0000000..e05af72
--- /dev/null
+++ b/man/man8/afs_vlserver_selinux.8
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,101 @@
+.TH "afs_vlserver_selinux" "8" "afs_vlserver" "dwalsh at redhat.com" "afs_vlserver SELinux Policy documentation"
+.SH "NAME"
+afs_vlserver_selinux \- Security Enhanced Linux Policy for the afs_vlserver processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the afs_vlserver processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the afs_vlserver processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The afs_vlserver processes execute with the afs_vlserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep afs_vlserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The afs_vlserver_t SELinux type can be entered via the "afs_vlserver_exec_t" file type. The default entrypoint paths for the afs_vlserver_t domain are the following:"
++
++/usr/afs/bin/vlserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux afs_vlserver policy is very flexible allowing users to setup their afs_vlserver processes in as secure a method as possible.
++.PP
++The following process types are defined for afs_vlserver:
++
++.EX
++.B afs_vlserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -2390,27 +2582,9 @@ index 0000000..6670bfa
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux afs_vlserver policy is very flexible allowing users to setup their afs_vlserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for afs_vlserver:
-+
-+.EX
-+.B afs_vlserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type afs_vlserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type afs_vlserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B afs_logfile_t
@@ -2424,6 +2598,8 @@ index 0000000..6670bfa
+ /usr/afs/db/vl.*
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -2443,23 +2619,50 @@ index 0000000..6670bfa
+
+.SH "SEE ALSO"
+selinux(8), afs_vlserver(8), semanage(8), restorecon(8), chcon(1)
-+, afs_selinux(8)
++, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8)
\ No newline at end of file
diff --git a/man/man8/aiccu_selinux.8 b/man/man8/aiccu_selinux.8
new file mode 100644
-index 0000000..01e8b01
+index 0000000..16c836c
--- /dev/null
+++ b/man/man8/aiccu_selinux.8
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,118 @@
+.TH "aiccu_selinux" "8" "aiccu" "dwalsh at redhat.com" "aiccu SELinux Policy documentation"
+.SH "NAME"
+aiccu_selinux \- Security Enhanced Linux Policy for the aiccu processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the aiccu processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the aiccu processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The aiccu processes execute with the aiccu_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep aiccu_t
++
++
++.SH "ENTRYPOINTS"
++
++The aiccu_t SELinux type can be entered via the "aiccu_exec_t" file type. The default entrypoint paths for the aiccu_t domain are the following:"
++
++/usr/sbin/aiccu
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux aiccu policy is very flexible allowing users to setup their aiccu processes in as secure a method as possible.
++.PP
++The following process types are defined for aiccu:
++
++.EX
++.B aiccu_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -2511,27 +2714,9 @@ index 0000000..01e8b01
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux aiccu policy is very flexible allowing users to setup their aiccu processes in as secure a method as possible.
-+.PP
-+The following process types are defined for aiccu:
-+
-+.EX
-+.B aiccu_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type aiccu_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type aiccu_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B aiccu_var_run_t
@@ -2539,6 +2724,8 @@ index 0000000..01e8b01
+ /var/run/aiccu\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -2560,19 +2747,46 @@ index 0000000..01e8b01
+selinux(8), aiccu(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8
new file mode 100644
-index 0000000..2cac17d
+index 0000000..57ff4a2
--- /dev/null
+++ b/man/man8/aide_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "aide_selinux" "8" "aide" "dwalsh at redhat.com" "aide SELinux Policy documentation"
+.SH "NAME"
+aide_selinux \- Security Enhanced Linux Policy for the aide processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the aide processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the aide processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The aide processes execute with the aide_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep aide_t
++
++
++.SH "ENTRYPOINTS"
++
++The aide_t SELinux type can be entered via the "aide_exec_t" file type. The default entrypoint paths for the aide_t domain are the following:"
++
++/usr/sbin/aide
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux aide policy is very flexible allowing users to setup their aide processes in as secure a method as possible.
++.PP
++The following process types are defined for aide:
++
++.EX
++.B aide_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -2620,27 +2834,9 @@ index 0000000..2cac17d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux aide policy is very flexible allowing users to setup their aide processes in as secure a method as possible.
-+.PP
-+The following process types are defined for aide:
-+
-+.EX
-+.B aide_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type aide_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type aide_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B aide_db_t
@@ -2656,6 +2852,8 @@ index 0000000..2cac17d
+ /var/log/aide\.log.*
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -2677,33 +2875,46 @@ index 0000000..2cac17d
+selinux(8), aide(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/aisexec_selinux.8 b/man/man8/aisexec_selinux.8
new file mode 100644
-index 0000000..56ce33e
+index 0000000..2327fe6
--- /dev/null
+++ b/man/man8/aisexec_selinux.8
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,204 @@
+.TH "aisexec_selinux" "8" "aisexec" "dwalsh at redhat.com" "aisexec SELinux Policy documentation"
+.SH "NAME"
+aisexec_selinux \- Security Enhanced Linux Policy for the aisexec processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the aisexec processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the aisexec processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The aisexec processes execute with the aisexec_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the aisexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep aisexec_t
+
++
++.SH "ENTRYPOINTS"
++
++The aisexec_t SELinux type can be entered via the "aisexec_exec_t" file type. The default entrypoint paths for the aisexec_t domain are the following:"
++
++/usr/sbin/aisexec
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the aisexec_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux aisexec policy is very flexible allowing users to setup their aisexec processes in as secure a method as possible.
++.PP
++The following process types are defined for aisexec:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B aisexec_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -2779,27 +2990,9 @@ index 0000000..56ce33e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux aisexec policy is very flexible allowing users to setup their aisexec processes in as secure a method as possible.
-+.PP
-+The following process types are defined for aisexec:
-+
-+.EX
-+.B aisexec_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type aisexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type aisexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B aisexec_tmp_t
@@ -2855,6 +3048,22 @@ index 0000000..56ce33e
+ /var/lib(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the aisexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the aisexec_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -2876,33 +3085,46 @@ index 0000000..56ce33e
+selinux(8), aisexec(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ajaxterm_selinux.8 b/man/man8/ajaxterm_selinux.8
new file mode 100644
-index 0000000..308cf15
+index 0000000..0e75606
--- /dev/null
+++ b/man/man8/ajaxterm_selinux.8
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,180 @@
+.TH "ajaxterm_selinux" "8" "ajaxterm" "dwalsh at redhat.com" "ajaxterm SELinux Policy documentation"
+.SH "NAME"
+ajaxterm_selinux \- Security Enhanced Linux Policy for the ajaxterm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ajaxterm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ajaxterm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ajaxterm processes execute with the ajaxterm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ajaxterm_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep ajaxterm_t
++
++
++.SH "ENTRYPOINTS"
+
++The ajaxterm_t SELinux type can be entered via the "ajaxterm_exec_t" file type. The default entrypoint paths for the ajaxterm_t domain are the following:"
++
++/usr/share/ajaxterm/ajaxterm\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ajaxterm_ssh_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible.
++.PP
++The following process types are defined for ajaxterm:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ajaxterm_ssh_t, ajaxterm_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -2969,27 +3191,9 @@ index 0000000..308cf15
+Default Defined Ports:
+tcp 8022
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ajaxterm:
-+
-+.EX
-+.B ajaxterm_ssh_t, ajaxterm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ajaxterm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ajaxterm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ajaxterm_var_run_t
@@ -3018,6 +3222,30 @@ index 0000000..308cf15
+.br
+ /home/[^/]*/\.shosts
+.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ajaxterm_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ajaxterm_ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -3043,33 +3271,46 @@ index 0000000..308cf15
+selinux(8), ajaxterm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/alsa_selinux.8 b/man/man8/alsa_selinux.8
new file mode 100644
-index 0000000..608b2e9
+index 0000000..cf09172
--- /dev/null
+++ b/man/man8/alsa_selinux.8
-@@ -0,0 +1,165 @@
+@@ -0,0 +1,176 @@
+.TH "alsa_selinux" "8" "alsa" "dwalsh at redhat.com" "alsa SELinux Policy documentation"
+.SH "NAME"
+alsa_selinux \- Security Enhanced Linux Policy for the alsa processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the alsa processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the alsa processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The alsa processes execute with the alsa_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the alsa_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep alsa_t
++
++
++.SH "ENTRYPOINTS"
++
++The alsa_t SELinux type can be entered via the "alsa_exec_t" file type. The default entrypoint paths for the alsa_t domain are the following:"
+
++/usr/sbin/salsa, /usr/bin/ainit, /usr/bin/alsaunmute, /sbin/salsa, /usr/sbin/alsactl, /sbin/alsactl, /bin/alsaunmute
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the alsa_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux alsa policy is very flexible allowing users to setup their alsa processes in as secure a method as possible.
++.PP
++The following process types are defined for alsa:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B alsa_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -3145,27 +3386,9 @@ index 0000000..608b2e9
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux alsa policy is very flexible allowing users to setup their alsa processes in as secure a method as possible.
-+.PP
-+The following process types are defined for alsa:
-+
-+.EX
-+.B alsa_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type alsa_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type alsa_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B alsa_etc_rw_t
@@ -3193,6 +3416,22 @@ index 0000000..608b2e9
+ /var/lib/alsa(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the alsa_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the alsa_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -3214,33 +3453,46 @@ index 0000000..608b2e9
+selinux(8), alsa(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/amanda_recover_selinux.8 b/man/man8/amanda_recover_selinux.8
new file mode 100644
-index 0000000..3f5e34c
+index 0000000..6d4c3b8
--- /dev/null
+++ b/man/man8/amanda_recover_selinux.8
-@@ -0,0 +1,118 @@
+@@ -0,0 +1,129 @@
+.TH "amanda_recover_selinux" "8" "amanda_recover" "dwalsh at redhat.com" "amanda_recover SELinux Policy documentation"
+.SH "NAME"
+amanda_recover_selinux \- Security Enhanced Linux Policy for the amanda_recover processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the amanda_recover processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the amanda_recover processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The amanda_recover processes execute with the amanda_recover_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amanda_recover_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep amanda_recover_t
+
++
++.SH "ENTRYPOINTS"
++
++The amanda_recover_t SELinux type can be entered via the "amanda_recover_exec_t" file type. The default entrypoint paths for the amanda_recover_t domain are the following:"
++
++/usr/sbin/amrecover
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the amanda_recover_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux amanda_recover policy is very flexible allowing users to setup their amanda_recover processes in as secure a method as possible.
++.PP
++The following process types are defined for amanda_recover:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B amanda_recover_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -3276,27 +3528,9 @@ index 0000000..3f5e34c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux amanda_recover policy is very flexible allowing users to setup their amanda_recover processes in as secure a method as possible.
-+.PP
-+The following process types are defined for amanda_recover:
-+
-+.EX
-+.B amanda_recover_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type amanda_recover_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type amanda_recover_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B amanda_log_t
@@ -3316,6 +3550,22 @@ index 0000000..3f5e34c
+.B amanda_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amanda_recover_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the amanda_recover_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -3335,37 +3585,50 @@ index 0000000..3f5e34c
+
+.SH "SEE ALSO"
+selinux(8), amanda_recover(8), semanage(8), restorecon(8), chcon(1)
-+, amanda_selinux(8)
++, amanda_selinux(8), amanda_selinux(8)
\ No newline at end of file
diff --git a/man/man8/amanda_selinux.8 b/man/man8/amanda_selinux.8
new file mode 100644
-index 0000000..9c85d93
+index 0000000..c9c7a70
--- /dev/null
+++ b/man/man8/amanda_selinux.8
-@@ -0,0 +1,284 @@
+@@ -0,0 +1,295 @@
+.TH "amanda_selinux" "8" "amanda" "dwalsh at redhat.com" "amanda SELinux Policy documentation"
+.SH "NAME"
+amanda_selinux \- Security Enhanced Linux Policy for the amanda processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the amanda processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the amanda processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The amanda processes execute with the amanda_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amanda_recover_t, amanda_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep amanda_t
++
++
++.SH "ENTRYPOINTS"
+
++The amanda_t SELinux type can be entered via the "amanda_exec_t,amanda_inetd_exec_t" file types. The default entrypoint paths for the amanda_t domain are the following:"
++
++/usr/lib/amanda/.+, /usr/lib/amanda/amindexd, /usr/lib/amanda/amidxtaped, /usr/lib/amanda/amandad
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the amanda_recover_t, amanda_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible.
++.PP
++The following process types are defined for amanda:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B amanda_t, amanda_recover_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -3534,27 +3797,9 @@ index 0000000..9c85d93
+.EE
+udp 10080-10082
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible.
-+.PP
-+The following process types are defined for amanda:
-+
-+.EX
-+.B amanda_t, amanda_recover_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type amanda_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type amanda_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B amanda_amandates_t
@@ -3604,6 +3849,22 @@ index 0000000..9c85d93
+ /var/lib/amanda
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amanda_recover_t, amanda_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the amanda_recover_t, amanda_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -3630,43 +3891,56 @@ index 0000000..9c85d93
\ No newline at end of file
diff --git a/man/man8/amavis_selinux.8 b/man/man8/amavis_selinux.8
new file mode 100644
-index 0000000..8f7997c
+index 0000000..24e30ba
--- /dev/null
+++ b/man/man8/amavis_selinux.8
-@@ -0,0 +1,275 @@
+@@ -0,0 +1,286 @@
+.TH "amavis_selinux" "8" "amavis" "dwalsh at redhat.com" "amavis SELinux Policy documentation"
+.SH "NAME"
+amavis_selinux \- Security Enhanced Linux Policy for the amavis processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the amavis processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the amavis processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. amavis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run amavis with the tightest access possible.
++The amavis processes execute with the amavis_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow amavis to use JIT compiler, you must turn on the amavis_use_jit boolean.
++.B ps -eZ | grep amavis_t
+
-+.EX
-+.B setsebool -P amavis_use_jit 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The amavis_t SELinux type can be entered via the "amavis_exec_t" file type. The default entrypoint paths for the amavis_t domain are the following:"
+
++/usr/sbin/amavisd.*, /usr/lib/AntiVir/antivir
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amavis_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible.
++.PP
++The following process types are defined for amavis:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B amavis_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. amavis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run amavis with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the amavis_t, you must turn on the kerberos_enabled boolean.
++If you want to allow amavis to use JIT compiler, you must turn on the amavis_use_jit boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P amavis_use_jit 1
+.EE
+
+.SH FILE CONTEXTS
@@ -3809,27 +4083,9 @@ index 0000000..8f7997c
+Default Defined Ports:
+tcp 10025
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible.
-+.PP
-+The following process types are defined for amavis:
-+
-+.EX
-+.B amavis_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type amavis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type amavis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B amavis_quarantine_t
@@ -3883,6 +4139,22 @@ index 0000000..8f7997c
+ /usr/share/snmp/mibs/\.index
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amavis_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the amavis_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -3912,19 +4184,46 @@ index 0000000..8f7997c
\ No newline at end of file
diff --git a/man/man8/amtu_selinux.8 b/man/man8/amtu_selinux.8
new file mode 100644
-index 0000000..5f568ce
+index 0000000..9b2fbbc
--- /dev/null
+++ b/man/man8/amtu_selinux.8
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,100 @@
+.TH "amtu_selinux" "8" "amtu" "dwalsh at redhat.com" "amtu SELinux Policy documentation"
+.SH "NAME"
+amtu_selinux \- Security Enhanced Linux Policy for the amtu processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the amtu processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the amtu processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The amtu processes execute with the amtu_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep amtu_t
++
++
++.SH "ENTRYPOINTS"
++
++The amtu_t SELinux type can be entered via the "amtu_exec_t" file type. The default entrypoint paths for the amtu_t domain are the following:"
++
++/usr/bin/amtu
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux amtu policy is very flexible allowing users to setup their amtu processes in as secure a method as possible.
++.PP
++The following process types are defined for amtu:
++
++.EX
++.B amtu_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -3952,27 +4251,9 @@ index 0000000..5f568ce
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux amtu policy is very flexible allowing users to setup their amtu processes in as secure a method as possible.
-+.PP
-+The following process types are defined for amtu:
-+
-+.EX
-+.B amtu_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type amtu_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type amtu_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B boot_t
@@ -3986,6 +4267,8 @@ index 0000000..5f568ce
+ /boot
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -4007,19 +4290,46 @@ index 0000000..5f568ce
+selinux(8), amtu(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/apcupsd_selinux.8 b/man/man8/apcupsd_selinux.8
new file mode 100644
-index 0000000..6ef7cfc
+index 0000000..c08deee
--- /dev/null
+++ b/man/man8/apcupsd_selinux.8
-@@ -0,0 +1,259 @@
+@@ -0,0 +1,270 @@
+.TH "apcupsd_selinux" "8" "apcupsd" "dwalsh at redhat.com" "apcupsd SELinux Policy documentation"
+.SH "NAME"
+apcupsd_selinux \- Security Enhanced Linux Policy for the apcupsd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the apcupsd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the apcupsd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The apcupsd processes execute with the apcupsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep apcupsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The apcupsd_t SELinux type can be entered via the "apcupsd_exec_t" file type. The default entrypoint paths for the apcupsd_t domain are the following:"
++
++/sbin/apcupsd, /usr/sbin/apcupsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible.
++.PP
++The following process types are defined for apcupsd:
++
++.EX
++.B apcupsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -4128,27 +4438,9 @@ index 0000000..6ef7cfc
+.EE
+udp 3551
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for apcupsd:
-+
-+.EX
-+.B apcupsd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type apcupsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type apcupsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B apcupsd_lock_t
@@ -4248,6 +4540,8 @@ index 0000000..6ef7cfc
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -4272,33 +4566,46 @@ index 0000000..6ef7cfc
+selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/apm_selinux.8 b/man/man8/apm_selinux.8
new file mode 100644
-index 0000000..3079423
+index 0000000..a07ae78
--- /dev/null
+++ b/man/man8/apm_selinux.8
-@@ -0,0 +1,148 @@
+@@ -0,0 +1,159 @@
+.TH "apm_selinux" "8" "apm" "dwalsh at redhat.com" "apm SELinux Policy documentation"
+.SH "NAME"
+apm_selinux \- Security Enhanced Linux Policy for the apm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the apm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the apm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The apm processes execute with the apm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep apm_t
++
++
++.SH "ENTRYPOINTS"
++
++The apm_t SELinux type can be entered via the "apm_exec_t" file type. The default entrypoint paths for the apm_t domain are the following:"
+
++/usr/bin/apm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux apm policy is very flexible allowing users to setup their apm processes in as secure a method as possible.
++.PP
++The following process types are defined for apm:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B apm_t, apmd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -4382,27 +4689,25 @@ index 0000000..3079423
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type apm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux apm policy is very flexible allowing users to setup their apm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for apm:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B apm_t, apmd_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type apm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -4427,33 +4732,46 @@ index 0000000..3079423
\ No newline at end of file
diff --git a/man/man8/apmd_selinux.8 b/man/man8/apmd_selinux.8
new file mode 100644
-index 0000000..1897e70
+index 0000000..ce8e64e
--- /dev/null
+++ b/man/man8/apmd_selinux.8
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,235 @@
+.TH "apmd_selinux" "8" "apmd" "dwalsh at redhat.com" "apmd SELinux Policy documentation"
+.SH "NAME"
+apmd_selinux \- Security Enhanced Linux Policy for the apmd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the apmd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the apmd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The apmd processes execute with the apmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep apmd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The apmd_t SELinux type can be entered via the "apmd_exec_t" file type. The default entrypoint paths for the apmd_t domain are the following:"
++
++/usr/sbin/powersaved, /usr/sbin/acpid, /usr/sbin/apmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux apmd policy is very flexible allowing users to setup their apmd processes in as secure a method as possible.
++.PP
++The following process types are defined for apmd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B apm_t, apmd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -4529,27 +4847,9 @@ index 0000000..1897e70
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux apmd policy is very flexible allowing users to setup their apmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for apmd:
-+
-+.EX
-+.B apm_t, apmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type apmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type apmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B adjtime_t
@@ -4635,6 +4935,22 @@ index 0000000..1897e70
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -4658,33 +4974,46 @@ index 0000000..1897e70
\ No newline at end of file
diff --git a/man/man8/arpwatch_selinux.8 b/man/man8/arpwatch_selinux.8
new file mode 100644
-index 0000000..37c1a20
+index 0000000..5eccc0b
--- /dev/null
+++ b/man/man8/arpwatch_selinux.8
-@@ -0,0 +1,151 @@
+@@ -0,0 +1,162 @@
+.TH "arpwatch_selinux" "8" "arpwatch" "dwalsh at redhat.com" "arpwatch SELinux Policy documentation"
+.SH "NAME"
+arpwatch_selinux \- Security Enhanced Linux Policy for the arpwatch processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the arpwatch processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the arpwatch processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The arpwatch processes execute with the arpwatch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the arpwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep arpwatch_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The arpwatch_t SELinux type can be entered via the "arpwatch_exec_t" file type. The default entrypoint paths for the arpwatch_t domain are the following:"
++
++/usr/sbin/arpwatch
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the arpwatch_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux arpwatch policy is very flexible allowing users to setup their arpwatch processes in as secure a method as possible.
++.PP
++The following process types are defined for arpwatch:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B arpwatch_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -4756,27 +5085,9 @@ index 0000000..37c1a20
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux arpwatch policy is very flexible allowing users to setup their arpwatch processes in as secure a method as possible.
-+.PP
-+The following process types are defined for arpwatch:
-+
-+.EX
-+.B arpwatch_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type arpwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type arpwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B arpwatch_data_t
@@ -4794,6 +5105,22 @@ index 0000000..37c1a20
+.B arpwatch_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the arpwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the arpwatch_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -4815,33 +5142,46 @@ index 0000000..37c1a20
+selinux(8), arpwatch(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/asterisk_selinux.8 b/man/man8/asterisk_selinux.8
new file mode 100644
-index 0000000..f22ac28
+index 0000000..ce8533a
--- /dev/null
+++ b/man/man8/asterisk_selinux.8
-@@ -0,0 +1,215 @@
+@@ -0,0 +1,226 @@
+.TH "asterisk_selinux" "8" "asterisk" "dwalsh at redhat.com" "asterisk SELinux Policy documentation"
+.SH "NAME"
+asterisk_selinux \- Security Enhanced Linux Policy for the asterisk processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the asterisk processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the asterisk processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The asterisk processes execute with the asterisk_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the asterisk_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep asterisk_t
++
++
++.SH "ENTRYPOINTS"
++
++The asterisk_t SELinux type can be entered via the "asterisk_exec_t" file type. The default entrypoint paths for the asterisk_t domain are the following:"
+
++/usr/sbin/asterisk
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the asterisk_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible.
++.PP
++The following process types are defined for asterisk:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B asterisk_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -4958,27 +5298,9 @@ index 0000000..f22ac28
+.EE
+udp 2427,2727,4569
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible.
-+.PP
-+The following process types are defined for asterisk:
-+
-+.EX
-+.B asterisk_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type asterisk_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type asterisk_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B asterisk_log_t
@@ -5012,6 +5334,22 @@ index 0000000..f22ac28
+ /var/run/asterisk(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the asterisk_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the asterisk_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -5036,33 +5374,46 @@ index 0000000..f22ac28
+selinux(8), asterisk(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/audisp_remote_selinux.8 b/man/man8/audisp_remote_selinux.8
new file mode 100644
-index 0000000..5e77d53
+index 0000000..8e4c00f
--- /dev/null
+++ b/man/man8/audisp_remote_selinux.8
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,121 @@
+.TH "audisp_remote_selinux" "8" "audisp_remote" "dwalsh at redhat.com" "audisp_remote SELinux Policy documentation"
+.SH "NAME"
+audisp_remote_selinux \- Security Enhanced Linux Policy for the audisp_remote processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the audisp_remote processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the audisp_remote processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The audisp_remote processes execute with the audisp_remote_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep audisp_remote_t
++
++
++.SH "ENTRYPOINTS"
+
++The audisp_remote_t SELinux type can be entered via the "audisp_remote_exec_t" file type. The default entrypoint paths for the audisp_remote_t domain are the following:"
++
++/usr/sbin/audisp-remote, /sbin/audisp-remote
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the audisp_remote_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux audisp_remote policy is very flexible allowing users to setup their audisp_remote processes in as secure a method as possible.
++.PP
++The following process types are defined for audisp_remote:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B audisp_remote_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -5094,27 +5445,9 @@ index 0000000..5e77d53
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux audisp_remote policy is very flexible allowing users to setup their audisp_remote processes in as secure a method as possible.
-+.PP
-+The following process types are defined for audisp_remote:
-+
-+.EX
-+.B audisp_remote_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type audisp_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type audisp_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B audit_spool_t
@@ -5130,6 +5463,22 @@ index 0000000..5e77d53
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the audisp_remote_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -5149,37 +5498,50 @@ index 0000000..5e77d53
+
+.SH "SEE ALSO"
+selinux(8), audisp_remote(8), semanage(8), restorecon(8), chcon(1)
-+, audisp_selinux(8)
++, audisp_selinux(8), audisp_selinux(8)
\ No newline at end of file
diff --git a/man/man8/audisp_selinux.8 b/man/man8/audisp_selinux.8
new file mode 100644
-index 0000000..9bc2244
+index 0000000..46ac866
--- /dev/null
+++ b/man/man8/audisp_selinux.8
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,127 @@
+.TH "audisp_selinux" "8" "audisp" "dwalsh at redhat.com" "audisp SELinux Policy documentation"
+.SH "NAME"
+audisp_selinux \- Security Enhanced Linux Policy for the audisp processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the audisp processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the audisp processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The audisp processes execute with the audisp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the audisp_t, audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep audisp_t
++
++
++.SH "ENTRYPOINTS"
+
++The audisp_t SELinux type can be entered via the "audisp_exec_t" file type. The default entrypoint paths for the audisp_t domain are the following:"
++
++/sbin/audispd, /usr/sbin/audispd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the audisp_t, audisp_remote_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux audisp policy is very flexible allowing users to setup their audisp processes in as secure a method as possible.
++.PP
++The following process types are defined for audisp:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B audisp_remote_t, audisp_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -5231,27 +5593,25 @@ index 0000000..9bc2244
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type audisp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux audisp policy is very flexible allowing users to setup their audisp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for audisp:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the audisp_t, audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B audisp_remote_t, audisp_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the audisp_t, audisp_remote_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type audisp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -5276,10 +5636,10 @@ index 0000000..9bc2244
\ No newline at end of file
diff --git a/man/man8/auditadm_selinux.8 b/man/man8/auditadm_selinux.8
new file mode 100644
-index 0000000..806bb9d
+index 0000000..9606db3
--- /dev/null
+++ b/man/man8/auditadm_selinux.8
-@@ -0,0 +1,216 @@
+@@ -0,0 +1,240 @@
+.TH "auditadm_selinux" "8" "auditadm" "mgrepl at redhat.com" "auditadm SELinux Policy documentation"
+.SH "NAME"
+auditadm_r \- \fBAudit administrator role\fP - Security Enhanced Linux Policy
@@ -5333,7 +5693,7 @@ index 0000000..806bb9d
+
+.SH "MANAGED FILES"
+
-+The SELinux user type auditadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type auditadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -5384,6 +5744,10 @@ index 0000000..806bb9d
+
+ /home/[^/]*/\.gnupg/log-socket
+.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
+
+.br
+.B mail_spool_t
@@ -5422,6 +5786,14 @@ index 0000000..806bb9d
+.br
+ /home/[^/]*/\.screenrc
+.br
++ /home/dwalsh/\.screen(/.*)?
++.br
++ /home/dwalsh/\.screenrc
++.br
++ /var/lib/xguest/home/xguest/\.screen(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.screenrc
++.br
+
+.br
+.B security_t
@@ -5448,6 +5820,18 @@ index 0000000..806bb9d
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_home_type
@@ -5498,19 +5882,46 @@ index 0000000..806bb9d
+selinux(8), auditadm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/auditctl_selinux.8 b/man/man8/auditctl_selinux.8
new file mode 100644
-index 0000000..d116600
+index 0000000..574ee84
--- /dev/null
+++ b/man/man8/auditctl_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,92 @@
+.TH "auditctl_selinux" "8" "auditctl" "dwalsh at redhat.com" "auditctl SELinux Policy documentation"
+.SH "NAME"
+auditctl_selinux \- Security Enhanced Linux Policy for the auditctl processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the auditctl processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the auditctl processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The auditctl processes execute with the auditctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep auditctl_t
++
++
++.SH "ENTRYPOINTS"
++
++The auditctl_t SELinux type can be entered via the "auditctl_exec_t" file type. The default entrypoint paths for the auditctl_t domain are the following:"
++
++/sbin/auditctl, /usr/sbin/auditctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux auditctl policy is very flexible allowing users to setup their auditctl processes in as secure a method as possible.
++.PP
++The following process types are defined for auditctl:
++
++.EX
++.B auditctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -5542,27 +5953,11 @@ index 0000000..d116600
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux auditctl policy is very flexible allowing users to setup their auditctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for auditctl:
-+
-+.EX
-+.B auditctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type auditctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type auditctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -5585,33 +5980,46 @@ index 0000000..d116600
+selinux(8), auditctl(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/auditd_selinux.8 b/man/man8/auditd_selinux.8
new file mode 100644
-index 0000000..4de1732
+index 0000000..a991ae1
--- /dev/null
+++ b/man/man8/auditd_selinux.8
-@@ -0,0 +1,200 @@
+@@ -0,0 +1,211 @@
+.TH "auditd_selinux" "8" "auditd" "dwalsh at redhat.com" "auditd SELinux Policy documentation"
+.SH "NAME"
+auditd_selinux \- Security Enhanced Linux Policy for the auditd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the auditd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the auditd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The auditd processes execute with the auditd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep auditd_t
++
++
++.SH "ENTRYPOINTS"
++
++The auditd_t SELinux type can be entered via the "auditd_exec_t" file type. The default entrypoint paths for the auditd_t domain are the following:"
+
++/sbin/auditd, /usr/sbin/auditd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible.
++.PP
++The following process types are defined for auditd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B auditadm_su_t, auditadm_seunshare_t, auditadm_dbusd_t, auditadm_t, auditadm_sudo_t, auditadm_wine_t, auditadm_screen_t, auditadm_gkeyringd_t, auditd_t, auditctl_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -5714,27 +6122,9 @@ index 0000000..4de1732
+Default Defined Ports:
+tcp 60
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for auditd:
-+
-+.EX
-+.B auditadm_su_t, auditadm_seunshare_t, auditadm_dbusd_t, auditadm_t, auditadm_sudo_t, auditadm_wine_t, auditadm_screen_t, auditadm_gkeyringd_t, auditd_t, auditctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type auditd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type auditd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -5766,6 +6156,22 @@ index 0000000..4de1732
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -5792,33 +6198,46 @@ index 0000000..4de1732
\ No newline at end of file
diff --git a/man/man8/automount_selinux.8 b/man/man8/automount_selinux.8
new file mode 100644
-index 0000000..93421fc
+index 0000000..74ebe46
--- /dev/null
+++ b/man/man8/automount_selinux.8
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,178 @@
+.TH "automount_selinux" "8" "automount" "dwalsh at redhat.com" "automount SELinux Policy documentation"
+.SH "NAME"
+automount_selinux \- Security Enhanced Linux Policy for the automount processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the automount processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the automount processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The automount processes execute with the automount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the automount_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep automount_t
++
++
++.SH "ENTRYPOINTS"
+
++The automount_t SELinux type can be entered via the "automount_exec_t" file type. The default entrypoint paths for the automount_t domain are the following:"
++
++/usr/sbin/automount, /etc/apm/event\.d/autofs
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the automount_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux automount policy is very flexible allowing users to setup their automount processes in as secure a method as possible.
++.PP
++The following process types are defined for automount:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B automount_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -5898,27 +6317,9 @@ index 0000000..93421fc
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux automount policy is very flexible allowing users to setup their automount processes in as secure a method as possible.
-+.PP
-+The following process types are defined for automount:
-+
-+.EX
-+.B automount_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type automount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type automount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B automount_lock_t
@@ -5944,6 +6345,22 @@ index 0000000..93421fc
+ /var/spool/samba(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the automount_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the automount_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -5965,43 +6382,56 @@ index 0000000..93421fc
+selinux(8), automount(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/avahi_selinux.8 b/man/man8/avahi_selinux.8
new file mode 100644
-index 0000000..fef76fe
+index 0000000..9dbaaf6
--- /dev/null
+++ b/man/man8/avahi_selinux.8
-@@ -0,0 +1,180 @@
+@@ -0,0 +1,191 @@
+.TH "avahi_selinux" "8" "avahi" "dwalsh at redhat.com" "avahi SELinux Policy documentation"
+.SH "NAME"
+avahi_selinux \- Security Enhanced Linux Policy for the avahi processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the avahi processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the avahi processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. avahi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run avahi with the tightest access possible.
++The avahi processes execute with the avahi_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
++.B ps -eZ | grep avahi_t
+
-+.EX
-+.B setsebool -P httpd_dbus_avahi 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The avahi_t SELinux type can be entered via the "avahi_exec_t" file type. The default entrypoint paths for the avahi_t domain are the following:"
++
++/usr/sbin/avahi-dnsconfd, /usr/sbin/avahi-autoipd, /usr/sbin/avahi-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the avahi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux avahi policy is very flexible allowing users to setup their avahi processes in as secure a method as possible.
++.PP
++The following process types are defined for avahi:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B avahi_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. avahi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run avahi with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the avahi_t, you must turn on the kerberos_enabled boolean.
++If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P httpd_dbus_avahi 1
+.EE
+
+.SH FILE CONTEXTS
@@ -6066,27 +6496,9 @@ index 0000000..fef76fe
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux avahi policy is very flexible allowing users to setup their avahi processes in as secure a method as possible.
-+.PP
-+The following process types are defined for avahi:
-+
-+.EX
-+.B avahi_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type avahi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type avahi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B avahi_var_lib_t
@@ -6126,6 +6538,22 @@ index 0000000..fef76fe
+ /etc/ethers
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the avahi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the avahi_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -6152,19 +6580,46 @@ index 0000000..fef76fe
\ No newline at end of file
diff --git a/man/man8/awstats_selinux.8 b/man/man8/awstats_selinux.8
new file mode 100644
-index 0000000..4b41b25
+index 0000000..ca1842d
--- /dev/null
+++ b/man/man8/awstats_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,114 @@
+.TH "awstats_selinux" "8" "awstats" "dwalsh at redhat.com" "awstats SELinux Policy documentation"
+.SH "NAME"
+awstats_selinux \- Security Enhanced Linux Policy for the awstats processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the awstats processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the awstats processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The awstats processes execute with the awstats_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep awstats_t
++
++
++.SH "ENTRYPOINTS"
++
++The awstats_t SELinux type can be entered via the "awstats_exec_t" file type. The default entrypoint paths for the awstats_t domain are the following:"
++
++/usr/share/awstats/tools/.+\.pl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux awstats policy is very flexible allowing users to setup their awstats processes in as secure a method as possible.
++.PP
++The following process types are defined for awstats:
++
++.EX
++.B awstats_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -6208,27 +6663,9 @@ index 0000000..4b41b25
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux awstats policy is very flexible allowing users to setup their awstats processes in as secure a method as possible.
-+.PP
-+The following process types are defined for awstats:
-+
-+.EX
-+.B awstats_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type awstats_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type awstats_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B awstats_tmp_t
@@ -6240,6 +6677,8 @@ index 0000000..4b41b25
+ /var/lib/awstats(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -6261,33 +6700,46 @@ index 0000000..4b41b25
+selinux(8), awstats(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/bcfg2_selinux.8 b/man/man8/bcfg2_selinux.8
new file mode 100644
-index 0000000..dc59fbe
+index 0000000..14fe6d5
--- /dev/null
+++ b/man/man8/bcfg2_selinux.8
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,146 @@
+.TH "bcfg2_selinux" "8" "bcfg2" "dwalsh at redhat.com" "bcfg2 SELinux Policy documentation"
+.SH "NAME"
+bcfg2_selinux \- Security Enhanced Linux Policy for the bcfg2 processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the bcfg2 processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the bcfg2 processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The bcfg2 processes execute with the bcfg2_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bcfg2_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep bcfg2_t
++
++
++.SH "ENTRYPOINTS"
+
++The bcfg2_t SELinux type can be entered via the "bcfg2_exec_t" file type. The default entrypoint paths for the bcfg2_t domain are the following:"
++
++/usr/sbin/bcfg2-server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the bcfg2_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bcfg2 policy is very flexible allowing users to setup their bcfg2 processes in as secure a method as possible.
++.PP
++The following process types are defined for bcfg2:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B bcfg2_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -6347,27 +6799,9 @@ index 0000000..dc59fbe
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux bcfg2 policy is very flexible allowing users to setup their bcfg2 processes in as secure a method as possible.
-+.PP
-+The following process types are defined for bcfg2:
-+
-+.EX
-+.B bcfg2_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type bcfg2_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type bcfg2_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B bcfg2_var_lib_t
@@ -6381,6 +6815,22 @@ index 0000000..dc59fbe
+ /var/run/bcfg2-server\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bcfg2_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the bcfg2_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -6402,33 +6852,46 @@ index 0000000..dc59fbe
+selinux(8), bcfg2(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/bitlbee_selinux.8 b/man/man8/bitlbee_selinux.8
new file mode 100644
-index 0000000..931cb6d
+index 0000000..10c37dd
--- /dev/null
+++ b/man/man8/bitlbee_selinux.8
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,184 @@
+.TH "bitlbee_selinux" "8" "bitlbee" "dwalsh at redhat.com" "bitlbee SELinux Policy documentation"
+.SH "NAME"
+bitlbee_selinux \- Security Enhanced Linux Policy for the bitlbee processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the bitlbee processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the bitlbee processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The bitlbee processes execute with the bitlbee_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bitlbee_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep bitlbee_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The bitlbee_t SELinux type can be entered via the "bitlbee_exec_t" file type. The default entrypoint paths for the bitlbee_t domain are the following:"
++
++/usr/sbin/bitlbee, /usr/bin/bip
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the bitlbee_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bitlbee policy is very flexible allowing users to setup their bitlbee processes in as secure a method as possible.
++.PP
++The following process types are defined for bitlbee:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B bitlbee_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -6512,27 +6975,9 @@ index 0000000..931cb6d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux bitlbee policy is very flexible allowing users to setup their bitlbee processes in as secure a method as possible.
-+.PP
-+The following process types are defined for bitlbee:
-+
-+.EX
-+.B bitlbee_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type bitlbee_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type bitlbee_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B bitlbee_log_t
@@ -6560,6 +7005,22 @@ index 0000000..931cb6d
+ /var/lib/bitlbee(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bitlbee_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the bitlbee_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -6581,17 +7042,46 @@ index 0000000..931cb6d
+selinux(8), bitlbee(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/blktap_selinux.8 b/man/man8/blktap_selinux.8
new file mode 100644
-index 0000000..8035b64
+index 0000000..035dcea
--- /dev/null
+++ b/man/man8/blktap_selinux.8
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,115 @@
+.TH "blktap_selinux" "8" "blktap" "dwalsh at redhat.com" "blktap SELinux Policy documentation"
+.SH "NAME"
+blktap_selinux \- Security Enhanced Linux Policy for the blktap processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the blktap processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the blktap processes via flexible mandatory access control.
++
++The blktap processes execute with the blktap_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep blktap_t
++
++
++.SH "ENTRYPOINTS"
++
++The blktap_t SELinux type can be entered via the "blktap_exec_t" file type. The default entrypoint paths for the blktap_t domain are the following:"
++
++/usr/sbin/blktapctrl, /usr/sbin/tapdisk
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux blktap policy is very flexible allowing users to setup their blktap processes in as secure a method as possible.
++.PP
++The following process types are defined for blktap:
++
++.EX
++.B blktap_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. blktap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run blktap with the tightest access possible.
@@ -6604,8 +7094,6 @@ index 0000000..8035b64
+.B setsebool -P xend_run_blktap 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -6644,27 +7132,11 @@ index 0000000..8035b64
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux blktap policy is very flexible allowing users to setup their blktap processes in as secure a method as possible.
-+.PP
-+The following process types are defined for blktap:
-+
-+.EX
-+.B blktap_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type blktap_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type blktap_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -6692,33 +7164,46 @@ index 0000000..8035b64
\ No newline at end of file
diff --git a/man/man8/blueman_selinux.8 b/man/man8/blueman_selinux.8
new file mode 100644
-index 0000000..6d0a4e9
+index 0000000..c83d198
--- /dev/null
+++ b/man/man8/blueman_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,116 @@
+.TH "blueman_selinux" "8" "blueman" "dwalsh at redhat.com" "blueman SELinux Policy documentation"
+.SH "NAME"
+blueman_selinux \- Security Enhanced Linux Policy for the blueman processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the blueman processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the blueman processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The blueman processes execute with the blueman_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the blueman_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep blueman_t
+
++
++.SH "ENTRYPOINTS"
++
++The blueman_t SELinux type can be entered via the "blueman_exec_t" file type. The default entrypoint paths for the blueman_t domain are the following:"
++
++/usr/libexec/blueman-mechanism
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the blueman_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux blueman policy is very flexible allowing users to setup their blueman processes in as secure a method as possible.
++.PP
++The following process types are defined for blueman:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B blueman_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -6754,27 +7239,9 @@ index 0000000..6d0a4e9
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux blueman policy is very flexible allowing users to setup their blueman processes in as secure a method as possible.
-+.PP
-+The following process types are defined for blueman:
-+
-+.EX
-+.B blueman_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type blueman_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type blueman_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B blueman_var_lib_t
@@ -6782,6 +7249,22 @@ index 0000000..6d0a4e9
+ /var/lib/blueman(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the blueman_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the blueman_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -6803,33 +7286,46 @@ index 0000000..6d0a4e9
+selinux(8), blueman(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/bluetooth_helper_selinux.8 b/man/man8/bluetooth_helper_selinux.8
new file mode 100644
-index 0000000..0bbf146
+index 0000000..f7f3b94
--- /dev/null
+++ b/man/man8/bluetooth_helper_selinux.8
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,155 @@
+.TH "bluetooth_helper_selinux" "8" "bluetooth_helper" "dwalsh at redhat.com" "bluetooth_helper SELinux Policy documentation"
+.SH "NAME"
+bluetooth_helper_selinux \- Security Enhanced Linux Policy for the bluetooth_helper processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the bluetooth_helper processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the bluetooth_helper processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The bluetooth_helper processes execute with the bluetooth_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep bluetooth_helper_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The bluetooth_helper_t SELinux type can be entered via the "bluetooth_helper_exec_t" file type. The default entrypoint paths for the bluetooth_helper_t domain are the following:"
++
++/usr/bin/blue.*pin
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the bluetooth_helper_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bluetooth_helper policy is very flexible allowing users to setup their bluetooth_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for bluetooth_helper:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B bluetooth_helper_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -6873,27 +7369,9 @@ index 0000000..0bbf146
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux bluetooth_helper policy is very flexible allowing users to setup their bluetooth_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for bluetooth_helper:
-+
-+.EX
-+.B bluetooth_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type bluetooth_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type bluetooth_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B bluetooth_helper_tmp_t
@@ -6918,6 +7396,34 @@ index 0000000..0bbf146
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the bluetooth_helper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -6938,47 +7444,60 @@ index 0000000..0bbf146
+
+.SH "SEE ALSO"
+selinux(8), bluetooth_helper(8), semanage(8), restorecon(8), chcon(1)
-+, bluetooth_selinux(8)
++, bluetooth_selinux(8), bluetooth_selinux(8)
\ No newline at end of file
diff --git a/man/man8/bluetooth_selinux.8 b/man/man8/bluetooth_selinux.8
new file mode 100644
-index 0000000..d1beb84
+index 0000000..bdb692e
--- /dev/null
+++ b/man/man8/bluetooth_selinux.8
-@@ -0,0 +1,238 @@
+@@ -0,0 +1,249 @@
+.TH "bluetooth_selinux" "8" "bluetooth" "dwalsh at redhat.com" "bluetooth SELinux Policy documentation"
+.SH "NAME"
+bluetooth_selinux \- Security Enhanced Linux Policy for the bluetooth processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the bluetooth processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the bluetooth processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. bluetooth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bluetooth with the tightest access possible.
++The bluetooth processes execute with the bluetooth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
++.B ps -eZ | grep bluetooth_t
+
-+.EX
-+.B setsebool -P xguest_use_bluetooth 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The bluetooth_t SELinux type can be entered via the "bluetooth_exec_t" file type. The default entrypoint paths for the bluetooth_t domain are the following:"
++
++/usr/sbin/hcid, /usr/bin/rfcomm, /usr/sbin/sdpd, /usr/bin/hidd, /usr/sbin/bluetoothd, /usr/sbin/hid2hci, /usr/bin/dund, /usr/sbin/hciattach
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bluetooth_t, bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bluetooth policy is very flexible allowing users to setup their bluetooth processes in as secure a method as possible.
++.PP
++The following process types are defined for bluetooth:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B bluetooth_helper_t, bluetooth_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. bluetooth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bluetooth with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the bluetooth_t, bluetooth_helper_t, you must turn on the kerberos_enabled boolean.
++If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P xguest_use_bluetooth 1
+.EE
+
+.SH FILE CONTEXTS
@@ -7107,27 +7626,9 @@ index 0000000..d1beb84
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux bluetooth policy is very flexible allowing users to setup their bluetooth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for bluetooth:
-+
-+.EX
-+.B bluetooth_helper_t, bluetooth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type bluetooth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type bluetooth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B bluetooth_conf_rw_t
@@ -7161,6 +7662,22 @@ index 0000000..d1beb84
+.B usbfs_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bluetooth_t, bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the bluetooth_t, bluetooth_helper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -7187,19 +7704,46 @@ index 0000000..d1beb84
\ No newline at end of file
diff --git a/man/man8/boinc_selinux.8 b/man/man8/boinc_selinux.8
new file mode 100644
-index 0000000..4c33797
+index 0000000..5650e12
--- /dev/null
+++ b/man/man8/boinc_selinux.8
-@@ -0,0 +1,210 @@
+@@ -0,0 +1,221 @@
+.TH "boinc_selinux" "8" "boinc" "dwalsh at redhat.com" "boinc SELinux Policy documentation"
+.SH "NAME"
+boinc_selinux \- Security Enhanced Linux Policy for the boinc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the boinc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the boinc processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The boinc processes execute with the boinc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep boinc_t
++
++
++.SH "ENTRYPOINTS"
++
++The boinc_t SELinux type can be entered via the "boinc_exec_t" file type. The default entrypoint paths for the boinc_t domain are the following:"
++
++/usr/bin/boinc_client
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible.
++.PP
++The following process types are defined for boinc:
++
++.EX
++.B boinc_t, boinc_project_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -7329,27 +7873,9 @@ index 0000000..4c33797
+Default Defined Ports:
+tcp 31416
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for boinc:
-+
-+.EX
-+.B boinc_t, boinc_project_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type boinc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type boinc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B boinc_log_t
@@ -7379,6 +7905,8 @@ index 0000000..4c33797
+ /var/lib/boinc(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -7403,43 +7931,56 @@ index 0000000..4c33797
+selinux(8), boinc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/bootloader_selinux.8 b/man/man8/bootloader_selinux.8
new file mode 100644
-index 0000000..03c484e
+index 0000000..0627d5a
--- /dev/null
+++ b/man/man8/bootloader_selinux.8
-@@ -0,0 +1,284 @@
+@@ -0,0 +1,295 @@
+.TH "bootloader_selinux" "8" "bootloader" "dwalsh at redhat.com" "bootloader SELinux Policy documentation"
+.SH "NAME"
+bootloader_selinux \- Security Enhanced Linux Policy for the bootloader processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the bootloader processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the bootloader processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. bootloader policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bootloader with the tightest access possible.
++The bootloader processes execute with the bootloader_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
++.B ps -eZ | grep bootloader_t
+
-+.EX
-+.B setsebool -P xdm_exec_bootloader 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The bootloader_t SELinux type can be entered via the "bootloader_exec_t" file type. The default entrypoint paths for the bootloader_t domain are the following:"
+
++/usr/sbin/ybin.*, /usr/sbin/zipl, /sbin/lilo.*, /sbin/ybin.*, /usr/sbin/lilo.*, /sbin/grub.*, /sbin/zipl, /usr/sbin/grub.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bootloader_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bootloader policy is very flexible allowing users to setup their bootloader processes in as secure a method as possible.
++.PP
++The following process types are defined for bootloader:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B bootloader_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. bootloader policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bootloader with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the bootloader_t, you must turn on the kerberos_enabled boolean.
++If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P xdm_exec_bootloader 1
+.EE
+
+.SH FILE CONTEXTS
@@ -7500,27 +8041,9 @@ index 0000000..03c484e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux bootloader policy is very flexible allowing users to setup their bootloader processes in as secure a method as possible.
-+.PP
-+The following process types are defined for bootloader:
-+
-+.EX
-+.B bootloader_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type bootloader_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type bootloader_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B boot_t
@@ -7668,6 +8191,22 @@ index 0000000..03c484e
+ /var/spool/plymouth/boot\.log
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bootloader_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the bootloader_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -7694,19 +8233,46 @@ index 0000000..03c484e
\ No newline at end of file
diff --git a/man/man8/brctl_selinux.8 b/man/man8/brctl_selinux.8
new file mode 100644
-index 0000000..8c805bd
+index 0000000..af78eb3
--- /dev/null
+++ b/man/man8/brctl_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,94 @@
+.TH "brctl_selinux" "8" "brctl" "dwalsh at redhat.com" "brctl SELinux Policy documentation"
+.SH "NAME"
+brctl_selinux \- Security Enhanced Linux Policy for the brctl processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the brctl processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the brctl processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The brctl processes execute with the brctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep brctl_t
++
++
++.SH "ENTRYPOINTS"
++
++The brctl_t SELinux type can be entered via the "brctl_exec_t" file type. The default entrypoint paths for the brctl_t domain are the following:"
++
++/usr/sbin/brctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux brctl policy is very flexible allowing users to setup their brctl processes in as secure a method as possible.
++.PP
++The following process types are defined for brctl:
++
++.EX
++.B brctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -7734,27 +8300,9 @@ index 0000000..8c805bd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux brctl policy is very flexible allowing users to setup their brctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for brctl:
-+
-+.EX
-+.B brctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type brctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type brctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sysfs_t
@@ -7762,6 +8310,8 @@ index 0000000..8c805bd
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -7783,19 +8333,46 @@ index 0000000..8c805bd
+selinux(8), brctl(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cachefilesd_selinux.8 b/man/man8/cachefilesd_selinux.8
new file mode 100644
-index 0000000..109637b
+index 0000000..e942ebc
--- /dev/null
+++ b/man/man8/cachefilesd_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,114 @@
+.TH "cachefilesd_selinux" "8" "cachefilesd" "dwalsh at redhat.com" "cachefilesd SELinux Policy documentation"
+.SH "NAME"
+cachefilesd_selinux \- Security Enhanced Linux Policy for the cachefilesd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cachefilesd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cachefilesd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cachefilesd processes execute with the cachefilesd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cachefilesd_t
++
++
++.SH "ENTRYPOINTS"
++
++The cachefilesd_t SELinux type can be entered via the "cachefilesd_exec_t" file type. The default entrypoint paths for the cachefilesd_t domain are the following:"
++
++/sbin/cachefilesd, /usr/sbin/cachefilesd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cachefilesd policy is very flexible allowing users to setup their cachefilesd processes in as secure a method as possible.
++.PP
++The following process types are defined for cachefilesd:
++
++.EX
++.B cachefilesd_t, cachefiles_kernel_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -7835,27 +8412,9 @@ index 0000000..109637b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cachefilesd policy is very flexible allowing users to setup their cachefilesd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cachefilesd:
-+
-+.EX
-+.B cachefilesd_t, cachefiles_kernel_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cachefilesd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cachefilesd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cachefiles_var_t
@@ -7871,6 +8430,8 @@ index 0000000..109637b
+ /var/run/cachefilesd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -7892,33 +8453,46 @@ index 0000000..109637b
+selinux(8), cachefilesd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/calamaris_selinux.8 b/man/man8/calamaris_selinux.8
new file mode 100644
-index 0000000..1cc7f9e
+index 0000000..f0c3e0e
--- /dev/null
+++ b/man/man8/calamaris_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,130 @@
+.TH "calamaris_selinux" "8" "calamaris" "dwalsh at redhat.com" "calamaris SELinux Policy documentation"
+.SH "NAME"
+calamaris_selinux \- Security Enhanced Linux Policy for the calamaris processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the calamaris processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the calamaris processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The calamaris processes execute with the calamaris_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the calamaris_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep calamaris_t
++
++
++.SH "ENTRYPOINTS"
+
++The calamaris_t SELinux type can be entered via the "calamaris_exec_t" file type. The default entrypoint paths for the calamaris_t domain are the following:"
++
++/etc/cron\.daily/calamaris
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the calamaris_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux calamaris policy is very flexible allowing users to setup their calamaris processes in as secure a method as possible.
++.PP
++The following process types are defined for calamaris:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B calamaris_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -7962,27 +8536,9 @@ index 0000000..1cc7f9e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux calamaris policy is very flexible allowing users to setup their calamaris processes in as secure a method as possible.
-+.PP
-+The following process types are defined for calamaris:
-+
-+.EX
-+.B calamaris_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type calamaris_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type calamaris_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B calamaris_log_t
@@ -7996,6 +8552,22 @@ index 0000000..1cc7f9e
+ /var/www/calamaris(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the calamaris_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the calamaris_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -8017,33 +8589,46 @@ index 0000000..1cc7f9e
+selinux(8), calamaris(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/callweaver_selinux.8 b/man/man8/callweaver_selinux.8
new file mode 100644
-index 0000000..614cf13
+index 0000000..e40fedf
--- /dev/null
+++ b/man/man8/callweaver_selinux.8
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,166 @@
+.TH "callweaver_selinux" "8" "callweaver" "dwalsh at redhat.com" "callweaver SELinux Policy documentation"
+.SH "NAME"
+callweaver_selinux \- Security Enhanced Linux Policy for the callweaver processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the callweaver processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the callweaver processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The callweaver processes execute with the callweaver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the callweaver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep callweaver_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The callweaver_t SELinux type can be entered via the "callweaver_exec_t" file type. The default entrypoint paths for the callweaver_t domain are the following:"
++
++/usr/sbin/callweaver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the callweaver_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux callweaver policy is very flexible allowing users to setup their callweaver processes in as secure a method as possible.
++.PP
++The following process types are defined for callweaver:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B callweaver_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -8111,27 +8696,9 @@ index 0000000..614cf13
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux callweaver policy is very flexible allowing users to setup their callweaver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for callweaver:
-+
-+.EX
-+.B callweaver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type callweaver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type callweaver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B callweaver_log_t
@@ -8157,6 +8724,22 @@ index 0000000..614cf13
+ /var/run/callweaver(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the callweaver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the callweaver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -8178,19 +8761,46 @@ index 0000000..614cf13
+selinux(8), callweaver(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/canna_selinux.8 b/man/man8/canna_selinux.8
new file mode 100644
-index 0000000..e326bda
+index 0000000..641a511
--- /dev/null
+++ b/man/man8/canna_selinux.8
-@@ -0,0 +1,151 @@
+@@ -0,0 +1,162 @@
+.TH "canna_selinux" "8" "canna" "dwalsh at redhat.com" "canna SELinux Policy documentation"
+.SH "NAME"
+canna_selinux \- Security Enhanced Linux Policy for the canna processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the canna processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the canna processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The canna processes execute with the canna_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep canna_t
++
++
++.SH "ENTRYPOINTS"
++
++The canna_t SELinux type can be entered via the "canna_exec_t" file type. The default entrypoint paths for the canna_t domain are the following:"
++
++/usr/bin/catdic, /usr/bin/cannaping, /usr/sbin/jserver, /usr/sbin/cannaserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux canna policy is very flexible allowing users to setup their canna processes in as secure a method as possible.
++.PP
++The following process types are defined for canna:
++
++.EX
++.B canna_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -8266,27 +8876,9 @@ index 0000000..e326bda
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux canna policy is very flexible allowing users to setup their canna processes in as secure a method as possible.
-+.PP
-+The following process types are defined for canna:
-+
-+.EX
-+.B canna_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type canna_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type canna_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B canna_log_t
@@ -8314,6 +8906,8 @@ index 0000000..e326bda
+ /var/run/\.iroha_unix
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -8335,19 +8929,46 @@ index 0000000..e326bda
+selinux(8), canna(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cardmgr_selinux.8 b/man/man8/cardmgr_selinux.8
new file mode 100644
-index 0000000..f50086e
+index 0000000..a30fcc9
--- /dev/null
+++ b/man/man8/cardmgr_selinux.8
-@@ -0,0 +1,157 @@
+@@ -0,0 +1,168 @@
+.TH "cardmgr_selinux" "8" "cardmgr" "dwalsh at redhat.com" "cardmgr SELinux Policy documentation"
+.SH "NAME"
+cardmgr_selinux \- Security Enhanced Linux Policy for the cardmgr processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cardmgr processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cardmgr processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cardmgr processes execute with the cardmgr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cardmgr_t
++
++
++.SH "ENTRYPOINTS"
++
++The cardmgr_t SELinux type can be entered via the "cardmgr_exec_t,cardctl_exec_t" file types. The default entrypoint paths for the cardmgr_t domain are the following:"
++
++/sbin/cardmgr, /etc/apm/event\.d/pcmcia, /usr/sbin/cardmgr, /sbin/cardctl, /usr/sbin/cardctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cardmgr policy is very flexible allowing users to setup their cardmgr processes in as secure a method as possible.
++.PP
++The following process types are defined for cardmgr:
++
++.EX
++.B cardmgr_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -8415,27 +9036,9 @@ index 0000000..f50086e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cardmgr policy is very flexible allowing users to setup their cardmgr processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cardmgr:
-+
-+.EX
-+.B cardmgr_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cardmgr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cardmgr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cardmgr_var_lib_t
@@ -8477,6 +9080,8 @@ index 0000000..f50086e
+ /etc/ethers
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -8498,19 +9103,46 @@ index 0000000..f50086e
+selinux(8), cardmgr(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ccs_selinux.8 b/man/man8/ccs_selinux.8
new file mode 100644
-index 0000000..29235e8
+index 0000000..31882ef
--- /dev/null
+++ b/man/man8/ccs_selinux.8
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,178 @@
+.TH "ccs_selinux" "8" "ccs" "dwalsh at redhat.com" "ccs SELinux Policy documentation"
+.SH "NAME"
+ccs_selinux \- Security Enhanced Linux Policy for the ccs processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ccs processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ccs processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ccs processes execute with the ccs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ccs_t
++
++
++.SH "ENTRYPOINTS"
++
++The ccs_t SELinux type can be entered via the "ccs_exec_t" file type. The default entrypoint paths for the ccs_t domain are the following:"
++
++/usr/sbin/ccsd, /sbin/ccsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ccs policy is very flexible allowing users to setup their ccs processes in as secure a method as possible.
++.PP
++The following process types are defined for ccs:
++
++.EX
++.B ccs_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -8586,27 +9218,9 @@ index 0000000..29235e8
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ccs policy is very flexible allowing users to setup their ccs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ccs:
-+
-+.EX
-+.B ccs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ccs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ccs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ccs_tmp_t
@@ -8650,6 +9264,8 @@ index 0000000..29235e8
+.B qpidd_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -8671,33 +9287,46 @@ index 0000000..29235e8
+selinux(8), ccs(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cdcc_selinux.8 b/man/man8/cdcc_selinux.8
new file mode 100644
-index 0000000..12029c2
+index 0000000..9cdf58f
--- /dev/null
+++ b/man/man8/cdcc_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,126 @@
+.TH "cdcc_selinux" "8" "cdcc" "dwalsh at redhat.com" "cdcc SELinux Policy documentation"
+.SH "NAME"
+cdcc_selinux \- Security Enhanced Linux Policy for the cdcc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cdcc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cdcc processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cdcc processes execute with the cdcc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cdcc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep cdcc_t
++
++
++.SH "ENTRYPOINTS"
++
++The cdcc_t SELinux type can be entered via the "cdcc_exec_t" file type. The default entrypoint paths for the cdcc_t domain are the following:"
+
++/usr/bin/cdcc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the cdcc_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cdcc policy is very flexible allowing users to setup their cdcc processes in as secure a method as possible.
++.PP
++The following process types are defined for cdcc:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B cdcc_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -8733,27 +9362,9 @@ index 0000000..12029c2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cdcc policy is very flexible allowing users to setup their cdcc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cdcc:
-+
-+.EX
-+.B cdcc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cdcc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cdcc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cdcc_tmp_t
@@ -8771,6 +9382,22 @@ index 0000000..12029c2
+ /var/run/dcc/map
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cdcc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cdcc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -8792,17 +9419,46 @@ index 0000000..12029c2
+selinux(8), cdcc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cdrecord_selinux.8 b/man/man8/cdrecord_selinux.8
new file mode 100644
-index 0000000..f71011c
+index 0000000..37db85e
--- /dev/null
+++ b/man/man8/cdrecord_selinux.8
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,107 @@
+.TH "cdrecord_selinux" "8" "cdrecord" "dwalsh at redhat.com" "cdrecord SELinux Policy documentation"
+.SH "NAME"
+cdrecord_selinux \- Security Enhanced Linux Policy for the cdrecord processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cdrecord processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cdrecord processes via flexible mandatory access control.
++
++The cdrecord processes execute with the cdrecord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cdrecord_t
++
++
++.SH "ENTRYPOINTS"
++
++The cdrecord_t SELinux type can be entered via the "cdrecord_exec_t" file type. The default entrypoint paths for the cdrecord_t domain are the following:"
++
++/usr/bin/cdrecord, /usr/bin/wodim, /usr/bin/growisofs
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cdrecord policy is very flexible allowing users to setup their cdrecord processes in as secure a method as possible.
++.PP
++The following process types are defined for cdrecord:
++
++.EX
++.B cdrecord_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. cdrecord policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cdrecord with the tightest access possible.
@@ -8815,8 +9471,6 @@ index 0000000..f71011c
+.B setsebool -P cdrecord_read_content 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -8847,27 +9501,11 @@ index 0000000..f71011c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cdrecord policy is very flexible allowing users to setup their cdrecord processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cdrecord:
-+
-+.EX
-+.B cdrecord_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cdrecord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cdrecord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -8895,33 +9533,46 @@ index 0000000..f71011c
\ No newline at end of file
diff --git a/man/man8/certmaster_selinux.8 b/man/man8/certmaster_selinux.8
new file mode 100644
-index 0000000..846276a
+index 0000000..f8b1f7d
--- /dev/null
+++ b/man/man8/certmaster_selinux.8
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,206 @@
+.TH "certmaster_selinux" "8" "certmaster" "dwalsh at redhat.com" "certmaster SELinux Policy documentation"
+.SH "NAME"
+certmaster_selinux \- Security Enhanced Linux Policy for the certmaster processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the certmaster processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the certmaster processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The certmaster processes execute with the certmaster_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep certmaster_t
+
++
++.SH "ENTRYPOINTS"
++
++The certmaster_t SELinux type can be entered via the "certmaster_exec_t" file type. The default entrypoint paths for the certmaster_t domain are the following:"
++
++/usr/bin/certmaster
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the certmaster_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible.
++.PP
++The following process types are defined for certmaster:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B certmaster_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -9012,27 +9663,9 @@ index 0000000..846276a
+Default Defined Ports:
+tcp 51235
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible.
-+.PP
-+The following process types are defined for certmaster:
-+
-+.EX
-+.B certmaster_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type certmaster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type certmaster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cert_t
@@ -9072,6 +9705,22 @@ index 0000000..846276a
+ /var/run/certmaster.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the certmaster_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -9096,33 +9745,46 @@ index 0000000..846276a
+selinux(8), certmaster(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/certmonger_selinux.8 b/man/man8/certmonger_selinux.8
new file mode 100644
-index 0000000..8528cdd
+index 0000000..70c4b32
--- /dev/null
+++ b/man/man8/certmonger_selinux.8
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,172 @@
+.TH "certmonger_selinux" "8" "certmonger" "dwalsh at redhat.com" "certmonger SELinux Policy documentation"
+.SH "NAME"
+certmonger_selinux \- Security Enhanced Linux Policy for the certmonger processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the certmonger processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the certmonger processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The certmonger processes execute with the certmonger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmonger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep certmonger_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The certmonger_t SELinux type can be entered via the "certmonger_exec_t" file type. The default entrypoint paths for the certmonger_t domain are the following:"
++
++/usr/sbin/certmonger
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the certmonger_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux certmonger policy is very flexible allowing users to setup their certmonger processes in as secure a method as possible.
++.PP
++The following process types are defined for certmonger:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B certmonger_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -9182,27 +9844,9 @@ index 0000000..8528cdd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux certmonger policy is very flexible allowing users to setup their certmonger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for certmonger:
-+
-+.EX
-+.B certmonger_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type certmonger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type certmonger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auth_cache_t
@@ -9242,6 +9886,22 @@ index 0000000..8528cdd
+ /etc/dirsrv(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmonger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the certmonger_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -9263,19 +9923,46 @@ index 0000000..8528cdd
+selinux(8), certmonger(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/certwatch_selinux.8 b/man/man8/certwatch_selinux.8
new file mode 100644
-index 0000000..db1e4da
+index 0000000..2a9b5ac
--- /dev/null
+++ b/man/man8/certwatch_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,94 @@
+.TH "certwatch_selinux" "8" "certwatch" "dwalsh at redhat.com" "certwatch SELinux Policy documentation"
+.SH "NAME"
+certwatch_selinux \- Security Enhanced Linux Policy for the certwatch processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the certwatch processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the certwatch processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The certwatch processes execute with the certwatch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep certwatch_t
++
++
++.SH "ENTRYPOINTS"
++
++The certwatch_t SELinux type can be entered via the "certwatch_exec_t" file type. The default entrypoint paths for the certwatch_t domain are the following:"
++
++/usr/bin/certwatch
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux certwatch policy is very flexible allowing users to setup their certwatch processes in as secure a method as possible.
++.PP
++The following process types are defined for certwatch:
++
++.EX
++.B certwatch_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -9303,27 +9990,9 @@ index 0000000..db1e4da
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux certwatch policy is very flexible allowing users to setup their certwatch processes in as secure a method as possible.
-+.PP
-+The following process types are defined for certwatch:
-+
-+.EX
-+.B certwatch_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type certwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type certwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auth_cache_t
@@ -9331,6 +10000,8 @@ index 0000000..db1e4da
+ /var/cache/coolkey(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -9352,33 +10023,46 @@ index 0000000..db1e4da
+selinux(8), certwatch(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cfengine_execd_selinux.8 b/man/man8/cfengine_execd_selinux.8
new file mode 100644
-index 0000000..cf0f531
+index 0000000..216cdf2
--- /dev/null
+++ b/man/man8/cfengine_execd_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,115 @@
+.TH "cfengine_execd_selinux" "8" "cfengine_execd" "dwalsh at redhat.com" "cfengine_execd SELinux Policy documentation"
+.SH "NAME"
+cfengine_execd_selinux \- Security Enhanced Linux Policy for the cfengine_execd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cfengine_execd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cfengine_execd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cfengine_execd processes execute with the cfengine_execd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep cfengine_execd_t
+
++
++.SH "ENTRYPOINTS"
++
++The cfengine_execd_t SELinux type can be entered via the "cfengine_execd_exec_t" file type. The default entrypoint paths for the cfengine_execd_t domain are the following:"
++
++/usr/sbin/cf-execd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the cfengine_execd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cfengine_execd policy is very flexible allowing users to setup their cfengine_execd processes in as secure a method as possible.
++.PP
++The following process types are defined for cfengine_execd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B cfengine_execd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -9406,27 +10090,9 @@ index 0000000..cf0f531
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cfengine_execd policy is very flexible allowing users to setup their cfengine_execd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cfengine_execd:
-+
-+.EX
-+.B cfengine_execd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cfengine_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cfengine_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cfengine_var_lib_t
@@ -9440,6 +10106,22 @@ index 0000000..cf0f531
+ /var/cfengine/outputs(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cfengine_execd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -9459,35 +10141,50 @@ index 0000000..cf0f531
+
+.SH "SEE ALSO"
+selinux(8), cfengine_execd(8), semanage(8), restorecon(8), chcon(1)
++, cfengine_monitord_selinux(8), cfengine_serverd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/cfengine_monitord_selinux.8 b/man/man8/cfengine_monitord_selinux.8
new file mode 100644
-index 0000000..a3d1770
+index 0000000..3cd407f
--- /dev/null
+++ b/man/man8/cfengine_monitord_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,115 @@
+.TH "cfengine_monitord_selinux" "8" "cfengine_monitord" "dwalsh at redhat.com" "cfengine_monitord SELinux Policy documentation"
+.SH "NAME"
+cfengine_monitord_selinux \- Security Enhanced Linux Policy for the cfengine_monitord processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cfengine_monitord processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cfengine_monitord processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cfengine_monitord processes execute with the cfengine_monitord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_monitord_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep cfengine_monitord_t
++
++
++.SH "ENTRYPOINTS"
+
++The cfengine_monitord_t SELinux type can be entered via the "cfengine_monitord_exec_t" file type. The default entrypoint paths for the cfengine_monitord_t domain are the following:"
++
++/usr/sbin/cf-monitord
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the cfengine_monitord_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cfengine_monitord policy is very flexible allowing users to setup their cfengine_monitord processes in as secure a method as possible.
++.PP
++The following process types are defined for cfengine_monitord:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B cfengine_monitord_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -9515,27 +10212,9 @@ index 0000000..a3d1770
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cfengine_monitord policy is very flexible allowing users to setup their cfengine_monitord processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cfengine_monitord:
-+
-+.EX
-+.B cfengine_monitord_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cfengine_monitord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cfengine_monitord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cfengine_var_lib_t
@@ -9549,6 +10228,22 @@ index 0000000..a3d1770
+ /var/cfengine/outputs(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_monitord_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cfengine_monitord_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -9568,35 +10263,50 @@ index 0000000..a3d1770
+
+.SH "SEE ALSO"
+selinux(8), cfengine_monitord(8), semanage(8), restorecon(8), chcon(1)
++, cfengine_execd_selinux(8), cfengine_serverd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/cfengine_serverd_selinux.8 b/man/man8/cfengine_serverd_selinux.8
new file mode 100644
-index 0000000..125e4f9
+index 0000000..acf05c6
--- /dev/null
+++ b/man/man8/cfengine_serverd_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,115 @@
+.TH "cfengine_serverd_selinux" "8" "cfengine_serverd" "dwalsh at redhat.com" "cfengine_serverd SELinux Policy documentation"
+.SH "NAME"
+cfengine_serverd_selinux \- Security Enhanced Linux Policy for the cfengine_serverd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cfengine_serverd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cfengine_serverd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cfengine_serverd processes execute with the cfengine_serverd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_serverd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep cfengine_serverd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The cfengine_serverd_t SELinux type can be entered via the "cfengine_serverd_exec_t" file type. The default entrypoint paths for the cfengine_serverd_t domain are the following:"
++
++/usr/sbin/cf-serverd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the cfengine_serverd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cfengine_serverd policy is very flexible allowing users to setup their cfengine_serverd processes in as secure a method as possible.
++.PP
++The following process types are defined for cfengine_serverd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B cfengine_serverd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -9624,27 +10334,9 @@ index 0000000..125e4f9
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cfengine_serverd policy is very flexible allowing users to setup their cfengine_serverd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cfengine_serverd:
-+
-+.EX
-+.B cfengine_serverd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cfengine_serverd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cfengine_serverd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cfengine_var_lib_t
@@ -9658,6 +10350,22 @@ index 0000000..125e4f9
+ /var/cfengine/outputs(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_serverd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cfengine_serverd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -9677,21 +10385,50 @@ index 0000000..125e4f9
+
+.SH "SEE ALSO"
+selinux(8), cfengine_serverd(8), semanage(8), restorecon(8), chcon(1)
++, cfengine_execd_selinux(8), cfengine_monitord_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/cgclear_selinux.8 b/man/man8/cgclear_selinux.8
new file mode 100644
-index 0000000..05e9a98
+index 0000000..7ec11e9
--- /dev/null
+++ b/man/man8/cgclear_selinux.8
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,100 @@
+.TH "cgclear_selinux" "8" "cgclear" "dwalsh at redhat.com" "cgclear SELinux Policy documentation"
+.SH "NAME"
+cgclear_selinux \- Security Enhanced Linux Policy for the cgclear processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cgclear processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cgclear processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cgclear processes execute with the cgclear_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cgclear_t
++
++
++.SH "ENTRYPOINTS"
++
++The cgclear_t SELinux type can be entered via the "cgclear_exec_t" file type. The default entrypoint paths for the cgclear_t domain are the following:"
++
++/sbin/cgclear, /usr/sbin/cgclear
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cgclear policy is very flexible allowing users to setup their cgclear processes in as secure a method as possible.
++.PP
++The following process types are defined for cgclear:
++
++.EX
++.B cgclear_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -9723,27 +10460,9 @@ index 0000000..05e9a98
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cgclear policy is very flexible allowing users to setup their cgclear processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cgclear:
-+
-+.EX
-+.B cgclear_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cgclear_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cgclear_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cgroup_t
@@ -9753,6 +10472,8 @@ index 0000000..05e9a98
+ /sys/fs/cgroup
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -9774,33 +10495,46 @@ index 0000000..05e9a98
+selinux(8), cgclear(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cgconfig_selinux.8 b/man/man8/cgconfig_selinux.8
new file mode 100644
-index 0000000..625db2c
+index 0000000..74979e8
--- /dev/null
+++ b/man/man8/cgconfig_selinux.8
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,134 @@
+.TH "cgconfig_selinux" "8" "cgconfig" "dwalsh at redhat.com" "cgconfig SELinux Policy documentation"
+.SH "NAME"
+cgconfig_selinux \- Security Enhanced Linux Policy for the cgconfig processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cgconfig processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cgconfig processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cgconfig processes execute with the cgconfig_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep cgconfig_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The cgconfig_t SELinux type can be entered via the "cgconfig_exec_t" file type. The default entrypoint paths for the cgconfig_t domain are the following:"
++
++/usr/sbin/cgconfigparser, /sbin/cgconfigparser
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the cgconfig_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cgconfig policy is very flexible allowing users to setup their cgconfig processes in as secure a method as possible.
++.PP
++The following process types are defined for cgconfig:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B cgconfig_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -9852,27 +10586,9 @@ index 0000000..625db2c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cgconfig policy is very flexible allowing users to setup their cgconfig processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cgconfig:
-+
-+.EX
-+.B cgconfig_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cgconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cgconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cgroup_t
@@ -9882,6 +10598,22 @@ index 0000000..625db2c
+ /sys/fs/cgroup
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cgconfig_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -9903,33 +10635,46 @@ index 0000000..625db2c
+selinux(8), cgconfig(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cgred_selinux.8 b/man/man8/cgred_selinux.8
new file mode 100644
-index 0000000..b8ec36f
+index 0000000..f79cbab
--- /dev/null
+++ b/man/man8/cgred_selinux.8
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,150 @@
+.TH "cgred_selinux" "8" "cgred" "dwalsh at redhat.com" "cgred SELinux Policy documentation"
+.SH "NAME"
+cgred_selinux \- Security Enhanced Linux Policy for the cgred processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cgred processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cgred processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cgred processes execute with the cgred_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgred_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep cgred_t
++
++
++.SH "ENTRYPOINTS"
+
++The cgred_t SELinux type can be entered via the "cgred_exec_t" file type. The default entrypoint paths for the cgred_t domain are the following:"
++
++/sbin/cgrulesengd, /usr/sbin/cgrulesengd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the cgred_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cgred policy is very flexible allowing users to setup their cgred processes in as secure a method as possible.
++.PP
++The following process types are defined for cgred:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B cgred_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -9985,27 +10730,9 @@ index 0000000..b8ec36f
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cgred policy is very flexible allowing users to setup their cgred processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cgred:
-+
-+.EX
-+.B cgred_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cgred_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cgred_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cgred_log_t
@@ -10027,6 +10754,22 @@ index 0000000..b8ec36f
+ /sys/fs/cgroup
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgred_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cgred_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -10048,19 +10791,46 @@ index 0000000..b8ec36f
+selinux(8), cgred(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/checkpc_selinux.8 b/man/man8/checkpc_selinux.8
new file mode 100644
-index 0000000..942f348
+index 0000000..32205e6
--- /dev/null
+++ b/man/man8/checkpc_selinux.8
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,110 @@
+.TH "checkpc_selinux" "8" "checkpc" "dwalsh at redhat.com" "checkpc SELinux Policy documentation"
+.SH "NAME"
+checkpc_selinux \- Security Enhanced Linux Policy for the checkpc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the checkpc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the checkpc processes via flexible mandatory access control.
++
++The checkpc processes execute with the checkpc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep checkpc_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The checkpc_t SELinux type can be entered via the "checkpc_exec_t" file type. The default entrypoint paths for the checkpc_t domain are the following:"
++
++/usr/sbin/checkpc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux checkpc policy is very flexible allowing users to setup their checkpc processes in as secure a method as possible.
++.PP
++The following process types are defined for checkpc:
++
++.EX
++.B checkpc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -10096,27 +10866,9 @@ index 0000000..942f348
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux checkpc policy is very flexible allowing users to setup their checkpc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for checkpc:
-+
-+.EX
-+.B checkpc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type checkpc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type checkpc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B checkpc_log_t
@@ -10132,6 +10884,8 @@ index 0000000..942f348
+ /var/spool/cups-pdf(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -10153,19 +10907,46 @@ index 0000000..942f348
+selinux(8), checkpc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/checkpolicy_selinux.8 b/man/man8/checkpolicy_selinux.8
new file mode 100644
-index 0000000..0e52e03
+index 0000000..a6da919
--- /dev/null
+++ b/man/man8/checkpolicy_selinux.8
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,100 @@
+.TH "checkpolicy_selinux" "8" "checkpolicy" "dwalsh at redhat.com" "checkpolicy SELinux Policy documentation"
+.SH "NAME"
+checkpolicy_selinux \- Security Enhanced Linux Policy for the checkpolicy processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the checkpolicy processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the checkpolicy processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The checkpolicy processes execute with the checkpolicy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep checkpolicy_t
++
++
++.SH "ENTRYPOINTS"
++
++The checkpolicy_t SELinux type can be entered via the "checkpolicy_exec_t" file type. The default entrypoint paths for the checkpolicy_t domain are the following:"
++
++/usr/bin/checkpolicy
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux checkpolicy policy is very flexible allowing users to setup their checkpolicy processes in as secure a method as possible.
++.PP
++The following process types are defined for checkpolicy:
++
++.EX
++.B checkpolicy_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -10193,27 +10974,9 @@ index 0000000..0e52e03
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux checkpolicy policy is very flexible allowing users to setup their checkpolicy processes in as secure a method as possible.
-+.PP
-+The following process types are defined for checkpolicy:
-+
-+.EX
-+.B checkpolicy_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type checkpolicy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type checkpolicy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B semanage_store_t
@@ -10227,6 +10990,8 @@ index 0000000..0e52e03
+ /etc/share/selinux/targeted(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -10248,33 +11013,46 @@ index 0000000..0e52e03
+selinux(8), checkpolicy(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/chfn_selinux.8 b/man/man8/chfn_selinux.8
new file mode 100644
-index 0000000..63c2b04
+index 0000000..3738d8e
--- /dev/null
+++ b/man/man8/chfn_selinux.8
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,190 @@
+.TH "chfn_selinux" "8" "chfn" "dwalsh at redhat.com" "chfn SELinux Policy documentation"
+.SH "NAME"
+chfn_selinux \- Security Enhanced Linux Policy for the chfn processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the chfn processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the chfn processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The chfn processes execute with the chfn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chfn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep chfn_t
+
++
++.SH "ENTRYPOINTS"
++
++The chfn_t SELinux type can be entered via the "chfn_exec_t" file type. The default entrypoint paths for the chfn_t domain are the following:"
++
++/usr/bin/chfn, /usr/bin/chsh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the chfn_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chfn policy is very flexible allowing users to setup their chfn processes in as secure a method as possible.
++.PP
++The following process types are defined for chfn:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B chfn_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -10306,27 +11084,9 @@ index 0000000..63c2b04
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux chfn policy is very flexible allowing users to setup their chfn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for chfn:
-+
-+.EX
-+.B chfn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type chfn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type chfn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -10407,6 +11167,26 @@ index 0000000..63c2b04
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chfn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the chfn_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -10429,33 +11209,46 @@ index 0000000..63c2b04
+selinux(8), chfn(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/chkpwd_selinux.8 b/man/man8/chkpwd_selinux.8
new file mode 100644
-index 0000000..e70bad7
+index 0000000..3e0db2e
--- /dev/null
+++ b/man/man8/chkpwd_selinux.8
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,106 @@
+.TH "chkpwd_selinux" "8" "chkpwd" "dwalsh at redhat.com" "chkpwd SELinux Policy documentation"
+.SH "NAME"
+chkpwd_selinux \- Security Enhanced Linux Policy for the chkpwd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the chkpwd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the chkpwd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The chkpwd processes execute with the chkpwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chkpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep chkpwd_t
++
++
++.SH "ENTRYPOINTS"
++
++The chkpwd_t SELinux type can be entered via the "chkpwd_exec_t" file type. The default entrypoint paths for the chkpwd_t domain are the following:"
+
++/sbin/unix_verify, /sbin/unix_chkpwd, /usr/sbin/unix_verify, /usr/sbin/validate, /usr/sbin/unix_chkpwd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the chkpwd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chkpwd policy is very flexible allowing users to setup their chkpwd processes in as secure a method as possible.
++.PP
++The following process types are defined for chkpwd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B chkpwd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -10487,27 +11280,25 @@ index 0000000..e70bad7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type chkpwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux chkpwd policy is very flexible allowing users to setup their chkpwd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for chkpwd:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chkpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B chkpwd_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the chkpwd_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type chkpwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -10530,19 +11321,46 @@ index 0000000..e70bad7
+selinux(8), chkpwd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/chrome_sandbox_nacl_selinux.8 b/man/man8/chrome_sandbox_nacl_selinux.8
new file mode 100644
-index 0000000..ce170d4
+index 0000000..4f141ab
--- /dev/null
+++ b/man/man8/chrome_sandbox_nacl_selinux.8
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,97 @@
+.TH "chrome_sandbox_nacl_selinux" "8" "chrome_sandbox_nacl" "dwalsh at redhat.com" "chrome_sandbox_nacl SELinux Policy documentation"
+.SH "NAME"
+chrome_sandbox_nacl_selinux \- Security Enhanced Linux Policy for the chrome_sandbox_nacl processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the chrome_sandbox_nacl processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the chrome_sandbox_nacl processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The chrome_sandbox_nacl processes execute with the chrome_sandbox_nacl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep chrome_sandbox_nacl_t
++
++
++.SH "ENTRYPOINTS"
++
++The chrome_sandbox_nacl_t SELinux type can be entered via the "chrome_sandbox_nacl_exec_t,bin_t" file types. The default entrypoint paths for the chrome_sandbox_nacl_t domain are the following:"
++
++/usr/lib/chromium-browser/nacl_helper_bootstrap, /opt/google/chrome/nacl_helper_bootstrap, /etc/ppp/ip-up\..*, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /usr/lib/virtualbox/VBoxManage, /usr/lib/.*/scripts(/.*)?, /etc/ppp/ip-down\..*, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/shorewall-perl(/.*)?, /usr/Brother(/.*)?, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/lib/mailman.*/mail(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/share/cluster/ocf-shellfuncs, /bin, /usr/lib/.*/program(/.*)?, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/apr-0/build/libtool, /usr/lib/pm-utils(/.*)?, /etc/sysconfig/network-scripts/net.*, /usr/share/system-config-language/system-config-language, /usr/lib/vte/gnome-pty-helper, /etc/lxdm/Pre.*, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/nagios/plugins(/.*)?, /usr/share/PackageKit/helpers(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/fence(/.*)?, /etc/sysconfig/network-scripts/init.*,
/usr/lib/xulrunner[^/]*/updater, /etc/mcelog/cache-error-trigger, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-netboot/pxeos\.py, /usr/share/cluster/.*\.sh, /usr/lib/udev/devices/MAKEDEV, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/mc/extfs/.*, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /var/qmail/rc, /var/mailman.*/bin(/.*)?, /usr/share/system-config-nfs/system-config-nfs\.py, /sbin, /usr/share/texmf/web2c/mktexupd, /usr/lib/readahead(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/xen/bin(/.*)?, /usr/share/Modules/init(/.*)?, /var/qmail/bin, /opt/google/talkplugin(/.*)?, /etc/profile.d(/.*)?, /usr/share/hwbrowser/hwbrowser, /usr/share/dayplanner/dayplanner, /usr/lib/nspluginwrapper/np.*, /usr/share/printconf/util/print\.py, /usr/lib/[^/]*/run-mozilla\.sh, /usr/linuxprinter/filters(/.*)?, /usr/share/system-config-network/neat-control\.py, /usr/lib/[^/]*/mozilla-xremote-client, /usr/share/hal/scripts(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/thunder
bird, /usr/share/system-config-selinux/polgen\.py, /usr/lib(.*/)?sbin(/.*)?, /lib/udev/devices/MAKEDEV, /etc/vmware-tools(/.*)?, /etc/PackageKit/events(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /usr/share/sectool/.*\.py, /etc/pki/tls/certs/make-dummy-cert, /usr/lib/rpm/rpmd, /usr/lib/tuned/.*/.*\.sh, /usr/share/cluster/svclib_nfslock, /usr/libexec(/.*)?, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/apr-0/build/[^/]+\.sh, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /bin/mountpoint, /usr/share/rhn/rhn_applet/needed-packages\.py, /lib/security/pam_krb5(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/rpm/rpmk, /etc/apcupsd/commok, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/clamav/freshclam-sleep, /usr/lib/mediawiki/math/texvc.*, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/xfce4(/.*)?, /usr/share/system-config-services/system-config-services, /opt/(.*/)?libexec(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /usr/lib/debug/sbin(/.*)?, /etc/sysconfig/libvirtd,
/etc/cron.weekly(/.*)?, /usr/lib/ccache/bin(/.*)?, /sbin/.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /usr/lib/yp/.+, /usr/share/wicd/daemon(/.*)?, /etc/ppp/ipv6-up\..*, /etc/acpi/actions(/.*)?, /etc/sysconfig/network-scripts/ifdown.*, /usr/share/cluster/SAPDatabase, /usr/share/system-config-soundcard/system-config-soundcard, /usr/lib/udev/scsi_id, /etc/pm/power\.d(/.*)?, /usr/share/system-config-services/gui\.py, /etc/lxdm/Xsession, /usr/lib/cyrus-imapd/.*, /usr/sbin/insmod_ksymoops_clean, /etc/cipe/ip-down.*, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/share/shorewall/compiler\.pl, /usr/share/pydict/pydict\.py, /dev/MAKEDEV, /usr/share/shorewall-shell(/.*)?, /emul/ia32-linux/bin(/.*)?, /root/bin(/.*)?, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/system-config-selinux\.py, /etc/ppp/ipv6-down\..*, /usr/share/pwlib/make/ptlib-config, /usr/lib/ConsoleKit/scripts(/.*)?, /opt/(.*/)?bin(/.*)?, /etc/init
\.d/functions, /lib/readahead(/.*)?, /etc/apcupsd/apccontrol, /usr/share/system-config-samba/system-config-samba\.py, /usr/lib/misc/sftp-server, /etc/apcupsd/onbattery, /usr/lib/qt.*/bin(/.*)?, /usr/share/cvs/contrib/rcs2log, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/fedora-usermgmt/wrapper, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/share/ssl/misc(/.*)?, /etc/apcupsd/changeme, /etc/apcupsd/offbattery, /etc/apcupsd/commfailure, /etc/sysconfig/readonly-root, /etc/cron.monthly(/.*)?, /var/ftp/bin(/.*)?, /usr/lib/xfce4/xfwm4/helper-dialog, /usr/lib/iscan/network, /usr/share/shorewall-lite(/.*)?, /usr/Printer(/.*)?, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/lib/news/bin(/.*)?, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-netboot/pxeboot\.py, /etc/auto\.[^/]*, /usr/Brother/(.*/)?inf/brprintconf.*, /etc/apcupsd/ma
sterconnect, /etc/avahi/.*\.action, /usr/lib/netsaint/plugins(/.*)?, /usr/share/authconfig/authconfig-tui\.py, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/lib/dracut(/.*)?, /usr/share/kde4/apps/kajongg/kajongg.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/selinux/devel/policygentool, /etc/mail/make, /usr/lib/debug/usr/libexec(/.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/libexec/openssh/sftp-server, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/chromium-browser(/.*)?, /etc/sysconfig/init, /usr/share/system-logviewer/system-logviewer\.py, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /usr/lib/wicd/monitor\.py, /etc/pki/tls/misc(/.*)?, /etc/cron.hourly(/.*)?, /etc/xen/qemu-ifup, /usr/share/system-config-services/serviceconf\.py, /usr/share/tucan.*/tucan.py, /usr/lib/portage/bin(/.*)?, /etc/lxdm/LoginReady, /etc/mcelog/triggers(/.*)?, /usr/share/texmf/web2c/mktexnam, /et
c/gdm/XKeepsCrashing[^/]*, /usr/lib/apt/methods.+, /etc/rc\.d/init\.d/functions, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /etc/kde/shutdown(/.*)?, /usr/lib/cups(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /usr/share/gnucash/finance-quote-helper, /etc/cron.daily(/.*)?, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/lib/rpm/rpmv, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/munin/plugins(/.*)?, /usr/share/clamav/clamd-gen, /etc/lxdm/Post.*, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /etc/hotplug/.*agent, /usr/lib/emacsen-common/.*, /usr/lib/jvm/java(.*/)bin(/.*), /etc/sysconfig/network-scripts/ifup.*, /usr/lib/xfce4/xfconf/xfconfd, /usr/lib/MailScanner(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/share/ajaxterm/qweb.py.*, /usr/share/switchdesk/switchdesk-gui\.py, /usr/lib/ipsec/.*, /usr/share/turboprint/lib(/.*)?, /usr/sbin/mkfs\.cramfs, /var/qmail/bin(/.*)?, /etc/sysconfig/crond, /usr/share/hplip/[^/]*, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/s
hare/debconf/.+, /usr/share/shorewall/configpath, /usr/bin/pingus.*, /etc/hotplug/hotplug\.functions, /usr/lib/mailman.*/bin(/.*)?, /usr/share/texmf/web2c/mktexdir, /usr/share/gnucash/finance-quote-check, /etc/redhat-lsb(/.*)?, /usr/X11R6/lib/X11/xkb/xkbcomp, /etc/gdm/[^/]+, /opt/google/chrome(/.*)?, /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/dpkg/.+, /usr/share/sandbox/sandboxX.sh, /etc/cipe/ip-up.*, /usr/lib/udev/[^/]*, /usr/bin/mountpoint, /lib/udev/scsi_id, /bin/.*, /emul/ia32-linux/sbin(/.*)?, /var/lib/iscan/interpreter, /etc/dhcp/dhclient\.d(/.*)?, /etc/racoon/scripts(/.*)?, /opt/(.*/)?sbin(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/spamassassin/sa-update\.cron, /usr/share/rhn/rhn_applet/applet\.py, /etc/X11/xdm/TakeConsole, /usr/(.*/)?sbin(/.*)?, /etc/X11/xinit(/.*)?, /usr/share/shorewall/getparams, /usr/share/cluster/checkquorum, /etc/X11/xdm/GiveConsole, /usr/lib/xfce4/session/xfsm-shutdown-helper, /lib/upstart(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/gdm/[^/]+/.
*, /usr/share/system-config-httpd/system-config-httpd, /usr/lib/upstart(/.*)?, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/system-config-users/system-config-users, /etc/mgetty\+sendfax/new_fax, /usr/lib/debug/bin(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /etc/hotplug/.*rc, /usr/lib/courier(/.*)?, /etc/X11/xdm/Xsetup_0, /etc/netplug\.d(/.*)?, /usr/Brother/(.*/)?inf/setup.*, /usr/lib/xfce4/session/balou-install-theme, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/smolt/client(/.*)?, /usr/bin, /etc/sysconfig/netconsole, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/xfce4/panel/migrate, /usr/share/ajaxterm/ajaxterm.py.*, /sbin/mkfs\.cramfs, /usr/share/authconfig/authconfig\.py, /usr/share/system-config-date/system-config-date\.py, /usr/share/virtualbox/.*\.sh, /etc/apcupsd/mastertimeout, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/texmf/texconfig/tcfmgr, /etc/kde/env(/.*)?, /usr/lib/rpm/rpmq, /sbin/insmod_ksymoops_
clean, /usr/lib/xfce4/panel/wrapper, /usr/share/system-config-printer/applet\.py, /etc/hotplug\.d/default/default.*, /usr/lib(.*/)?bin(/.*)?, /usr/share/gitolite/hooks/common/update, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /usr/lib/sftp-server, /usr/share/system-config-display/system-config-display, /lib/udev/[^/]*, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/denyhosts/scripts(/.*)?, /usr/share/createrepo(/.*)?, /usr/lib/yaboot/addnote, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/share/cluster/SAPInstance
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chrome_sandbox_nacl policy is very flexible allowing users to setup their chrome_sandbox_nacl processes in as secure a method as possible.
++.PP
++The following process types are defined for chrome_sandbox_nacl:
++
++.EX
++.B chrome_sandbox_nacl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -10574,32 +11392,16 @@ index 0000000..ce170d4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux chrome_sandbox_nacl policy is very flexible allowing users to setup their chrome_sandbox_nacl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for chrome_sandbox_nacl:
-+
-+.EX
-+.B chrome_sandbox_nacl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type chrome_sandbox_nacl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type chrome_sandbox_nacl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B chrome_sandbox_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -10619,21 +11421,50 @@ index 0000000..ce170d4
+
+.SH "SEE ALSO"
+selinux(8), chrome_sandbox_nacl(8), semanage(8), restorecon(8), chcon(1)
-+, chrome_sandbox_selinux(8)
++, chrome_sandbox_selinux(8), chrome_sandbox_selinux(8)
\ No newline at end of file
diff --git a/man/man8/chrome_sandbox_selinux.8 b/man/man8/chrome_sandbox_selinux.8
new file mode 100644
-index 0000000..ac42fa4
+index 0000000..da5d245
--- /dev/null
+++ b/man/man8/chrome_sandbox_selinux.8
-@@ -0,0 +1,168 @@
+@@ -0,0 +1,203 @@
+.TH "chrome_sandbox_selinux" "8" "chrome_sandbox" "dwalsh at redhat.com" "chrome_sandbox SELinux Policy documentation"
+.SH "NAME"
+chrome_sandbox_selinux \- Security Enhanced Linux Policy for the chrome_sandbox processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the chrome_sandbox processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the chrome_sandbox processes via flexible mandatory access control.
++
++The chrome_sandbox processes execute with the chrome_sandbox_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep chrome_sandbox_t
++
++
++.SH "ENTRYPOINTS"
++
++The chrome_sandbox_t SELinux type can be entered via the "chrome_sandbox_exec_t" file type. The default entrypoint paths for the chrome_sandbox_t domain are the following:"
++
++/usr/lib/chromium-browser/chrome-sandbox, /opt/google/chrome/chrome-sandbox
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chrome_sandbox policy is very flexible allowing users to setup their chrome_sandbox processes in as secure a method as possible.
++.PP
++The following process types are defined for chrome_sandbox:
++
++.EX
++.B chrome_sandbox_t, chrome_sandbox_nacl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. chrome_sandbox policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chrome_sandbox with the tightest access possible.
@@ -10646,8 +11477,6 @@ index 0000000..ac42fa4
+.B setsebool -P unconfined_chrome_sandbox_transition 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -10706,27 +11535,9 @@ index 0000000..ac42fa4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux chrome_sandbox policy is very flexible allowing users to setup their chrome_sandbox processes in as secure a method as possible.
-+.PP
-+The following process types are defined for chrome_sandbox:
-+
-+.EX
-+.B chrome_sandbox_t, chrome_sandbox_nacl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type chrome_sandbox_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type chrome_sandbox_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cgroup_t
@@ -10755,6 +11566,18 @@ index 0000000..ac42fa4
+.br
+ /home/[^/]*/\.cert(/.*)?
+.br
++ /home/dwalsh/.kde/share/apps/networkmanagement/certificates(/.*)?
++.br
++ /home/dwalsh/\.pki(/.*)?
++.br
++ /home/dwalsh/\.cert(/.*)?
++.br
++ /var/lib/xguest/home/xguest/.kde/share/apps/networkmanagement/certificates(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.pki(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cert(/.*)?
++.br
+
+.br
+.B user_fonts_cache_t
@@ -10771,6 +11594,20 @@ index 0000000..ac42fa4
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -10798,33 +11635,46 @@ index 0000000..ac42fa4
\ No newline at end of file
diff --git a/man/man8/chronyd_selinux.8 b/man/man8/chronyd_selinux.8
new file mode 100644
-index 0000000..9b5d538
+index 0000000..b31012f
--- /dev/null
+++ b/man/man8/chronyd_selinux.8
-@@ -0,0 +1,207 @@
+@@ -0,0 +1,218 @@
+.TH "chronyd_selinux" "8" "chronyd" "dwalsh at redhat.com" "chronyd SELinux Policy documentation"
+.SH "NAME"
+chronyd_selinux \- Security Enhanced Linux Policy for the chronyd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the chronyd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the chronyd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The chronyd processes execute with the chronyd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chronyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep chronyd_t
+
++
++.SH "ENTRYPOINTS"
++
++The chronyd_t SELinux type can be entered via the "chronyd_exec_t" file type. The default entrypoint paths for the chronyd_t domain are the following:"
++
++/usr/sbin/chronyd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the chronyd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible.
++.PP
++The following process types are defined for chronyd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B chronyd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -10935,27 +11785,9 @@ index 0000000..9b5d538
+Default Defined Ports:
+udp 323
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for chronyd:
-+
-+.EX
-+.B chronyd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type chronyd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type chronyd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B chronyd_tmpfs_t
@@ -10987,6 +11819,22 @@ index 0000000..9b5d538
+.B gpsd_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chronyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the chronyd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -11011,19 +11859,46 @@ index 0000000..9b5d538
+selinux(8), chronyd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ciped_selinux.8 b/man/man8/ciped_selinux.8
new file mode 100644
-index 0000000..760b1c2
+index 0000000..f437b07
--- /dev/null
+++ b/man/man8/ciped_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,88 @@
+.TH "ciped_selinux" "8" "ciped" "dwalsh at redhat.com" "ciped SELinux Policy documentation"
+.SH "NAME"
+ciped_selinux \- Security Enhanced Linux Policy for the ciped processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ciped processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ciped processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ciped processes execute with the ciped_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ciped_t
++
++
++.SH "ENTRYPOINTS"
++
++The ciped_t SELinux type can be entered via the "ciped_exec_t" file type. The default entrypoint paths for the ciped_t domain are the following:"
++
++/usr/sbin/ciped.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ciped policy is very flexible allowing users to setup their ciped processes in as secure a method as possible.
++.PP
++The following process types are defined for ciped:
++
++.EX
++.B ciped_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -11051,27 +11926,11 @@ index 0000000..760b1c2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ciped policy is very flexible allowing users to setup their ciped processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ciped:
-+
-+.EX
-+.B ciped_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ciped_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ciped_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -11094,17 +11953,46 @@ index 0000000..760b1c2
+selinux(8), ciped(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/clamd_selinux.8 b/man/man8/clamd_selinux.8
new file mode 100644
-index 0000000..42f178a
+index 0000000..19ccf7e
--- /dev/null
+++ b/man/man8/clamd_selinux.8
-@@ -0,0 +1,254 @@
+@@ -0,0 +1,265 @@
+.TH "clamd_selinux" "8" "clamd" "dwalsh at redhat.com" "clamd SELinux Policy documentation"
+.SH "NAME"
+clamd_selinux \- Security Enhanced Linux Policy for the clamd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the clamd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the clamd processes via flexible mandatory access control.
++
++The clamd processes execute with the clamd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep clamd_t
++
++
++.SH "ENTRYPOINTS"
++
++The clamd_t SELinux type can be entered via the "clamd_exec_t" file type. The default entrypoint paths for the clamd_t domain are the following:"
++
++/usr/sbin/clamd, /usr/sbin/clamav-milter
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible.
++.PP
++The following process types are defined for clamd:
++
++.EX
++.B clamd_t, clamscan_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. clamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamd with the tightest access possible.
@@ -11131,22 +12019,6 @@ index 0000000..42f178a
+.B setsebool -P clamd_use_jit 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clamd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the clamd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -11268,27 +12140,9 @@ index 0000000..42f178a
+Default Defined Ports:
+tcp 3310
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for clamd:
-+
-+.EX
-+.B clamd_t, clamscan_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type clamd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type clamd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B clamd_tmp_t
@@ -11326,6 +12180,22 @@ index 0000000..42f178a
+ /var/spool/amavisd/clamd\.sock
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clamd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the clamd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -11355,17 +12225,46 @@ index 0000000..42f178a
\ No newline at end of file
diff --git a/man/man8/clamscan_selinux.8 b/man/man8/clamscan_selinux.8
new file mode 100644
-index 0000000..3fd406a
+index 0000000..d00e41b
--- /dev/null
+++ b/man/man8/clamscan_selinux.8
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,142 @@
+.TH "clamscan_selinux" "8" "clamscan" "dwalsh at redhat.com" "clamscan SELinux Policy documentation"
+.SH "NAME"
+clamscan_selinux \- Security Enhanced Linux Policy for the clamscan processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the clamscan processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the clamscan processes via flexible mandatory access control.
++
++The clamscan processes execute with the clamscan_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep clamscan_t
++
++
++.SH "ENTRYPOINTS"
++
++The clamscan_t SELinux type can be entered via the "clamscan_exec_t" file type. The default entrypoint paths for the clamscan_t domain are the following:"
++
++/usr/bin/clamdscan, /usr/bin/clamscan
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clamscan policy is very flexible allowing users to setup their clamscan processes in as secure a method as possible.
++.PP
++The following process types are defined for clamscan:
++
++.EX
++.B clamscan_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. clamscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamscan with the tightest access possible.
@@ -11385,8 +12284,6 @@ index 0000000..3fd406a
+.B setsebool -P clamscan_can_scan_system 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -11425,27 +12322,9 @@ index 0000000..3fd406a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux clamscan policy is very flexible allowing users to setup their clamscan processes in as secure a method as possible.
-+.PP
-+The following process types are defined for clamscan:
-+
-+.EX
-+.B clamscan_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type clamscan_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type clamscan_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B amavis_spool_t
@@ -11467,6 +12346,8 @@ index 0000000..3fd406a
+.B clamscan_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -11493,19 +12374,46 @@ index 0000000..3fd406a
\ No newline at end of file
diff --git a/man/man8/clogd_selinux.8 b/man/man8/clogd_selinux.8
new file mode 100644
-index 0000000..069dcaa
+index 0000000..b2f5de7
--- /dev/null
+++ b/man/man8/clogd_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,114 @@
+.TH "clogd_selinux" "8" "clogd" "dwalsh at redhat.com" "clogd SELinux Policy documentation"
+.SH "NAME"
+clogd_selinux \- Security Enhanced Linux Policy for the clogd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the clogd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the clogd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The clogd processes execute with the clogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep clogd_t
++
++
++.SH "ENTRYPOINTS"
++
++The clogd_t SELinux type can be entered via the "clogd_exec_t" file type. The default entrypoint paths for the clogd_t domain are the following:"
++
++/usr/sbin/clogd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clogd policy is very flexible allowing users to setup their clogd processes in as secure a method as possible.
++.PP
++The following process types are defined for clogd:
++
++.EX
++.B clogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -11549,27 +12457,9 @@ index 0000000..069dcaa
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux clogd policy is very flexible allowing users to setup their clogd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for clogd:
-+
-+.EX
-+.B clogd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type clogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type clogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B clogd_tmpfs_t
@@ -11581,6 +12471,8 @@ index 0000000..069dcaa
+ /var/run/clogd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -11602,33 +12494,46 @@ index 0000000..069dcaa
+selinux(8), clogd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/clvmd_selinux.8 b/man/man8/clvmd_selinux.8
new file mode 100644
-index 0000000..8731ff2
+index 0000000..f8e119b
--- /dev/null
+++ b/man/man8/clvmd_selinux.8
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,140 @@
+.TH "clvmd_selinux" "8" "clvmd" "dwalsh at redhat.com" "clvmd SELinux Policy documentation"
+.SH "NAME"
+clvmd_selinux \- Security Enhanced Linux Policy for the clvmd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the clvmd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the clvmd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The clvmd processes execute with the clvmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clvmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep clvmd_t
+
++
++.SH "ENTRYPOINTS"
++
++The clvmd_t SELinux type can be entered via the "clvmd_exec_t" file type. The default entrypoint paths for the clvmd_t domain are the following:"
++
++/usr/sbin/clvmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the clvmd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux clvmd policy is very flexible allowing users to setup their clvmd processes in as secure a method as possible.
++.PP
++The following process types are defined for clvmd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B clvmd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -11680,27 +12585,9 @@ index 0000000..8731ff2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux clvmd policy is very flexible allowing users to setup their clvmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for clvmd:
-+
-+.EX
-+.B clvmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type clvmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type clvmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -11716,6 +12603,22 @@ index 0000000..8731ff2
+ /var/run/clvmd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clvmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the clvmd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -11737,19 +12640,46 @@ index 0000000..8731ff2
+selinux(8), clvmd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cmirrord_selinux.8 b/man/man8/cmirrord_selinux.8
new file mode 100644
-index 0000000..54fbebe
+index 0000000..acb70af
--- /dev/null
+++ b/man/man8/cmirrord_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "cmirrord_selinux" "8" "cmirrord" "dwalsh at redhat.com" "cmirrord SELinux Policy documentation"
+.SH "NAME"
+cmirrord_selinux \- Security Enhanced Linux Policy for the cmirrord processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cmirrord processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cmirrord processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cmirrord processes execute with the cmirrord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cmirrord_t
++
++
++.SH "ENTRYPOINTS"
++
++The cmirrord_t SELinux type can be entered via the "cmirrord_exec_t" file type. The default entrypoint paths for the cmirrord_t domain are the following:"
++
++/usr/sbin/cmirrord
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cmirrord policy is very flexible allowing users to setup their cmirrord processes in as secure a method as possible.
++.PP
++The following process types are defined for cmirrord:
++
++.EX
++.B cmirrord_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -11801,27 +12731,9 @@ index 0000000..54fbebe
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cmirrord policy is very flexible allowing users to setup their cmirrord processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cmirrord:
-+
-+.EX
-+.B cmirrord_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cmirrord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cmirrord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cmirrord_tmpfs_t
@@ -11833,6 +12745,8 @@ index 0000000..54fbebe
+ /var/run/cmirrord\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -11854,17 +12768,46 @@ index 0000000..54fbebe
+selinux(8), cmirrord(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cobblerd_selinux.8 b/man/man8/cobblerd_selinux.8
new file mode 100644
-index 0000000..c42baa4
+index 0000000..008af88
--- /dev/null
+++ b/man/man8/cobblerd_selinux.8
-@@ -0,0 +1,343 @@
+@@ -0,0 +1,354 @@
+.TH "cobblerd_selinux" "8" "cobblerd" "dwalsh at redhat.com" "cobblerd SELinux Policy documentation"
+.SH "NAME"
+cobblerd_selinux \- Security Enhanced Linux Policy for the cobblerd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cobblerd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cobblerd processes via flexible mandatory access control.
++
++The cobblerd processes execute with the cobblerd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cobblerd_t
++
++
++.SH "ENTRYPOINTS"
++
++The cobblerd_t SELinux type can be entered via the "cobblerd_exec_t" file type. The default entrypoint paths for the cobblerd_t domain are the following:"
++
++/usr/bin/cobblerd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible.
++.PP
++The following process types are defined for cobblerd:
++
++.EX
++.B cobblerd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. cobblerd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cobblerd with the tightest access possible.
@@ -11898,8 +12841,6 @@ index 0000000..c42baa4
+.B setsebool -P cobbler_use_cifs 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
+.TP
@@ -11991,27 +12932,9 @@ index 0000000..c42baa4
+Default Defined Ports:
+tcp 25151
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cobblerd:
-+
-+.EX
-+.B cobblerd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cobblerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cobblerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cobbler_tmp_t
@@ -12175,6 +13098,8 @@ index 0000000..c42baa4
+ /etc/xinetd\.d/tftp
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -12204,17 +13129,46 @@ index 0000000..c42baa4
\ No newline at end of file
diff --git a/man/man8/collectd_selinux.8 b/man/man8/collectd_selinux.8
new file mode 100644
-index 0000000..bada43b
+index 0000000..1eed969
--- /dev/null
+++ b/man/man8/collectd_selinux.8
-@@ -0,0 +1,136 @@
+@@ -0,0 +1,147 @@
+.TH "collectd_selinux" "8" "collectd" "dwalsh at redhat.com" "collectd SELinux Policy documentation"
+.SH "NAME"
+collectd_selinux \- Security Enhanced Linux Policy for the collectd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the collectd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the collectd processes via flexible mandatory access control.
++
++The collectd processes execute with the collectd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep collectd_t
++
++
++.SH "ENTRYPOINTS"
++
++The collectd_t SELinux type can be entered via the "collectd_exec_t" file type. The default entrypoint paths for the collectd_t domain are the following:"
++
++/usr/sbin/collectd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux collectd policy is very flexible allowing users to setup their collectd processes in as secure a method as possible.
++.PP
++The following process types are defined for collectd:
++
++.EX
++.B collectd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. collectd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run collectd with the tightest access possible.
@@ -12227,8 +13181,6 @@ index 0000000..bada43b
+.B setsebool -P collectd_can_network_connect 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -12287,27 +13239,9 @@ index 0000000..bada43b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux collectd policy is very flexible allowing users to setup their collectd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for collectd:
-+
-+.EX
-+.B collectd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type collectd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type collectd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B collectd_var_lib_t
@@ -12321,6 +13255,8 @@ index 0000000..bada43b
+ /var/run/collectd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -12347,33 +13283,46 @@ index 0000000..bada43b
\ No newline at end of file
diff --git a/man/man8/colord_selinux.8 b/man/man8/colord_selinux.8
new file mode 100644
-index 0000000..e9e543d
+index 0000000..fa0dd70
--- /dev/null
+++ b/man/man8/colord_selinux.8
-@@ -0,0 +1,159 @@
+@@ -0,0 +1,170 @@
+.TH "colord_selinux" "8" "colord" "dwalsh at redhat.com" "colord SELinux Policy documentation"
+.SH "NAME"
+colord_selinux \- Security Enhanced Linux Policy for the colord processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the colord processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the colord processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The colord processes execute with the colord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the colord_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep colord_t
+
++
++.SH "ENTRYPOINTS"
++
++The colord_t SELinux type can be entered via the "colord_exec_t" file type. The default entrypoint paths for the colord_t domain are the following:"
++
++/usr/libexec/colord-sane, /usr/libexec/colord
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the colord_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux colord policy is very flexible allowing users to setup their colord processes in as secure a method as possible.
++.PP
++The following process types are defined for colord:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B colord_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -12441,27 +13390,9 @@ index 0000000..e9e543d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux colord policy is very flexible allowing users to setup their colord processes in as secure a method as possible.
-+.PP
-+The following process types are defined for colord:
-+
-+.EX
-+.B colord_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type colord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type colord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B colord_tmp_t
@@ -12491,6 +13422,22 @@ index 0000000..e9e543d
+.B zoneminder_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the colord_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the colord_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -12512,33 +13459,46 @@ index 0000000..e9e543d
+selinux(8), colord(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/comsat_selinux.8 b/man/man8/comsat_selinux.8
new file mode 100644
-index 0000000..a94d43e
+index 0000000..b3b1028
--- /dev/null
+++ b/man/man8/comsat_selinux.8
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,152 @@
+.TH "comsat_selinux" "8" "comsat" "dwalsh at redhat.com" "comsat SELinux Policy documentation"
+.SH "NAME"
+comsat_selinux \- Security Enhanced Linux Policy for the comsat processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the comsat processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the comsat processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The comsat processes execute with the comsat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the comsat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep comsat_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The comsat_t SELinux type can be entered via the "comsat_exec_t" file type. The default entrypoint paths for the comsat_t domain are the following:"
++
++/usr/sbin/in\.comsat
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the comsat_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible.
++.PP
++The following process types are defined for comsat:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B comsat_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -12605,27 +13565,9 @@ index 0000000..a94d43e
+Default Defined Ports:
+udp 512
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible.
-+.PP
-+The following process types are defined for comsat:
-+
-+.EX
-+.B comsat_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type comsat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type comsat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B comsat_tmp_t
@@ -12635,6 +13577,22 @@ index 0000000..a94d43e
+.B comsat_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the comsat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the comsat_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -12659,33 +13617,46 @@ index 0000000..a94d43e
+selinux(8), comsat(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/condor_collector_selinux.8 b/man/man8/condor_collector_selinux.8
new file mode 100644
-index 0000000..38b67d1
+index 0000000..0c2c684
--- /dev/null
+++ b/man/man8/condor_collector_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,131 @@
+.TH "condor_collector_selinux" "8" "condor_collector" "dwalsh at redhat.com" "condor_collector SELinux Policy documentation"
+.SH "NAME"
+condor_collector_selinux \- Security Enhanced Linux Policy for the condor_collector processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the condor_collector processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the condor_collector processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The condor_collector processes execute with the condor_collector_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_collector_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep condor_collector_t
++
++
++.SH "ENTRYPOINTS"
+
++The condor_collector_t SELinux type can be entered via the "condor_collector_exec_t" file type. The default entrypoint paths for the condor_collector_t domain are the following:"
++
++/usr/sbin/condor_collector
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the condor_collector_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_collector policy is very flexible allowing users to setup their condor_collector processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_collector:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B condor_collector_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -12713,27 +13684,9 @@ index 0000000..38b67d1
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_collector policy is very flexible allowing users to setup their condor_collector processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_collector:
-+
-+.EX
-+.B condor_collector_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type condor_collector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type condor_collector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B condor_log_t
@@ -12763,6 +13716,22 @@ index 0000000..38b67d1
+ /var/run/condor(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_collector_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the condor_collector_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -12782,21 +13751,50 @@ index 0000000..38b67d1
+
+.SH "SEE ALSO"
+selinux(8), condor_collector(8), semanage(8), restorecon(8), chcon(1)
++, condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/condor_master_selinux.8 b/man/man8/condor_master_selinux.8
new file mode 100644
-index 0000000..199cb6a
+index 0000000..7833cff
--- /dev/null
+++ b/man/man8/condor_master_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,117 @@
+.TH "condor_master_selinux" "8" "condor_master" "dwalsh at redhat.com" "condor_master SELinux Policy documentation"
+.SH "NAME"
+condor_master_selinux \- Security Enhanced Linux Policy for the condor_master processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the condor_master processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the condor_master processes via flexible mandatory access control.
++
++The condor_master processes execute with the condor_master_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep condor_master_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The condor_master_t SELinux type can be entered via the "condor_master_exec_t" file type. The default entrypoint paths for the condor_master_t domain are the following:"
++
++/usr/sbin/condor_master
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_master policy is very flexible allowing users to setup their condor_master processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_master:
++
++.EX
++.B condor_master_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -12824,27 +13822,9 @@ index 0000000..199cb6a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_master policy is very flexible allowing users to setup their condor_master processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_master:
-+
-+.EX
-+.B condor_master_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type condor_master_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type condor_master_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B condor_log_t
@@ -12874,6 +13854,8 @@ index 0000000..199cb6a
+ /var/run/condor(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -12893,35 +13875,50 @@ index 0000000..199cb6a
+
+.SH "SEE ALSO"
+selinux(8), condor_master(8), semanage(8), restorecon(8), chcon(1)
++, condor_collector_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/condor_negotiator_selinux.8 b/man/man8/condor_negotiator_selinux.8
new file mode 100644
-index 0000000..8cc8c88
+index 0000000..f3b5156
--- /dev/null
+++ b/man/man8/condor_negotiator_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,131 @@
+.TH "condor_negotiator_selinux" "8" "condor_negotiator" "dwalsh at redhat.com" "condor_negotiator SELinux Policy documentation"
+.SH "NAME"
+condor_negotiator_selinux \- Security Enhanced Linux Policy for the condor_negotiator processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the condor_negotiator processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the condor_negotiator processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The condor_negotiator processes execute with the condor_negotiator_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_negotiator_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep condor_negotiator_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The condor_negotiator_t SELinux type can be entered via the "condor_negotiator_exec_t" file type. The default entrypoint paths for the condor_negotiator_t domain are the following:"
++
++/usr/sbin/condor_negotiator
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the condor_negotiator_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_negotiator policy is very flexible allowing users to setup their condor_negotiator processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_negotiator:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B condor_negotiator_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -12949,27 +13946,9 @@ index 0000000..8cc8c88
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_negotiator policy is very flexible allowing users to setup their condor_negotiator processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_negotiator:
-+
-+.EX
-+.B condor_negotiator_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type condor_negotiator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type condor_negotiator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B condor_log_t
@@ -12999,6 +13978,22 @@ index 0000000..8cc8c88
+ /var/run/condor(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_negotiator_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the condor_negotiator_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -13018,35 +14013,50 @@ index 0000000..8cc8c88
+
+.SH "SEE ALSO"
+selinux(8), condor_negotiator(8), semanage(8), restorecon(8), chcon(1)
++, condor_collector_selinux(8), condor_master_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/condor_procd_selinux.8 b/man/man8/condor_procd_selinux.8
new file mode 100644
-index 0000000..fb6ef3d
+index 0000000..6171951
--- /dev/null
+++ b/man/man8/condor_procd_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,131 @@
+.TH "condor_procd_selinux" "8" "condor_procd" "dwalsh at redhat.com" "condor_procd SELinux Policy documentation"
+.SH "NAME"
+condor_procd_selinux \- Security Enhanced Linux Policy for the condor_procd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the condor_procd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the condor_procd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The condor_procd processes execute with the condor_procd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_procd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep condor_procd_t
++
++
++.SH "ENTRYPOINTS"
+
++The condor_procd_t SELinux type can be entered via the "condor_procd_exec_t" file type. The default entrypoint paths for the condor_procd_t domain are the following:"
++
++/usr/sbin/condor_procd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the condor_procd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_procd policy is very flexible allowing users to setup their condor_procd processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_procd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B condor_procd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -13074,27 +14084,9 @@ index 0000000..fb6ef3d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_procd policy is very flexible allowing users to setup their condor_procd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_procd:
-+
-+.EX
-+.B condor_procd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type condor_procd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type condor_procd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B condor_log_t
@@ -13124,6 +14116,22 @@ index 0000000..fb6ef3d
+ /var/run/condor(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_procd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the condor_procd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -13143,35 +14151,50 @@ index 0000000..fb6ef3d
+
+.SH "SEE ALSO"
+selinux(8), condor_procd(8), semanage(8), restorecon(8), chcon(1)
++, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/condor_schedd_selinux.8 b/man/man8/condor_schedd_selinux.8
new file mode 100644
-index 0000000..182d529
+index 0000000..be0d967
--- /dev/null
+++ b/man/man8/condor_schedd_selinux.8
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,143 @@
+.TH "condor_schedd_selinux" "8" "condor_schedd" "dwalsh at redhat.com" "condor_schedd SELinux Policy documentation"
+.SH "NAME"
+condor_schedd_selinux \- Security Enhanced Linux Policy for the condor_schedd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the condor_schedd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the condor_schedd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The condor_schedd processes execute with the condor_schedd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_schedd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep condor_schedd_t
++
++
++.SH "ENTRYPOINTS"
+
++The condor_schedd_t SELinux type can be entered via the "condor_schedd_exec_t" file type. The default entrypoint paths for the condor_schedd_t domain are the following:"
++
++/usr/sbin/condor_schedd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the condor_schedd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_schedd policy is very flexible allowing users to setup their condor_schedd processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_schedd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B condor_schedd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -13207,27 +14230,9 @@ index 0000000..182d529
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_schedd policy is very flexible allowing users to setup their condor_schedd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_schedd:
-+
-+.EX
-+.B condor_schedd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type condor_schedd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type condor_schedd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B condor_log_t
@@ -13261,6 +14266,22 @@ index 0000000..182d529
+ /var/run/condor(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_schedd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the condor_schedd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -13280,35 +14301,50 @@ index 0000000..182d529
+
+.SH "SEE ALSO"
+selinux(8), condor_schedd(8), semanage(8), restorecon(8), chcon(1)
++, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_startd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/condor_startd_selinux.8 b/man/man8/condor_startd_selinux.8
new file mode 100644
-index 0000000..66dcc83
+index 0000000..f4bf12b
--- /dev/null
+++ b/man/man8/condor_startd_selinux.8
-@@ -0,0 +1,169 @@
+@@ -0,0 +1,189 @@
+.TH "condor_startd_selinux" "8" "condor_startd" "dwalsh at redhat.com" "condor_startd SELinux Policy documentation"
+.SH "NAME"
+condor_startd_selinux \- Security Enhanced Linux Policy for the condor_startd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the condor_startd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the condor_startd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The condor_startd processes execute with the condor_startd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_startd_t, condor_startd_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep condor_startd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The condor_startd_t SELinux type can be entered via the "condor_startd_exec_t" file type. The default entrypoint paths for the condor_startd_t domain are the following:"
++
++/usr/sbin/condor_starter, /usr/sbin/condor_startd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the condor_startd_t, condor_startd_ssh_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux condor_startd policy is very flexible allowing users to setup their condor_startd processes in as secure a method as possible.
++.PP
++The following process types are defined for condor_startd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B condor_startd_ssh_t, condor_startd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -13356,27 +14392,9 @@ index 0000000..66dcc83
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux condor_startd policy is very flexible allowing users to setup their condor_startd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for condor_startd:
-+
-+.EX
-+.B condor_startd_ssh_t, condor_startd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type condor_startd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type condor_startd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B condor_log_t
@@ -13435,6 +14453,30 @@ index 0000000..66dcc83
+.br
+ /home/[^/]*/\.shosts
+.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_startd_t, condor_startd_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the condor_startd_t, condor_startd_ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -13455,35 +14497,50 @@ index 0000000..66dcc83
+
+.SH "SEE ALSO"
+selinux(8), condor_startd(8), semanage(8), restorecon(8), chcon(1)
++, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/consolekit_selinux.8 b/man/man8/consolekit_selinux.8
new file mode 100644
-index 0000000..9632d0c
+index 0000000..f3129b1
--- /dev/null
+++ b/man/man8/consolekit_selinux.8
-@@ -0,0 +1,191 @@
+@@ -0,0 +1,214 @@
+.TH "consolekit_selinux" "8" "consolekit" "dwalsh at redhat.com" "consolekit SELinux Policy documentation"
+.SH "NAME"
+consolekit_selinux \- Security Enhanced Linux Policy for the consolekit processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the consolekit processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the consolekit processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The consolekit processes execute with the consolekit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the consolekit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep consolekit_t
++
++
++.SH "ENTRYPOINTS"
+
++The consolekit_t SELinux type can be entered via the "consolekit_exec_t" file type. The default entrypoint paths for the consolekit_t domain are the following:"
++
++/usr/sbin/console-kit-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the consolekit_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux consolekit policy is very flexible allowing users to setup their consolekit processes in as secure a method as possible.
++.PP
++The following process types are defined for consolekit:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B consolekit_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -13547,27 +14604,9 @@ index 0000000..9632d0c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux consolekit policy is very flexible allowing users to setup their consolekit processes in as secure a method as possible.
-+.PP
-+The following process types are defined for consolekit:
-+
-+.EX
-+.B consolekit_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type consolekit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type consolekit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B consolekit_log_t
@@ -13626,6 +14665,18 @@ index 0000000..9632d0c
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B wtmp_t
@@ -13633,6 +14684,22 @@ index 0000000..9632d0c
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the consolekit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the consolekit_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -13654,19 +14721,46 @@ index 0000000..9632d0c
+selinux(8), consolekit(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/consoletype_selinux.8 b/man/man8/consoletype_selinux.8
new file mode 100644
-index 0000000..165e37c
+index 0000000..cab921c
--- /dev/null
+++ b/man/man8/consoletype_selinux.8
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,96 @@
+.TH "consoletype_selinux" "8" "consoletype" "dwalsh at redhat.com" "consoletype SELinux Policy documentation"
+.SH "NAME"
+consoletype_selinux \- Security Enhanced Linux Policy for the consoletype processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the consoletype processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the consoletype processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The consoletype processes execute with the consoletype_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep consoletype_t
++
++
++.SH "ENTRYPOINTS"
++
++The consoletype_t SELinux type can be entered via the "consoletype_exec_t" file type. The default entrypoint paths for the consoletype_t domain are the following:"
++
++/usr/sbin/consoletype, /sbin/consoletype
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux consoletype policy is very flexible allowing users to setup their consoletype processes in as secure a method as possible.
++.PP
++The following process types are defined for consoletype:
++
++.EX
++.B consoletype_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -13698,32 +14792,16 @@ index 0000000..165e37c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux consoletype policy is very flexible allowing users to setup their consoletype processes in as secure a method as possible.
-+.PP
-+The following process types are defined for consoletype:
-+
-+.EX
-+.B consoletype_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type consoletype_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type consoletype_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -13745,33 +14823,46 @@ index 0000000..165e37c
+selinux(8), consoletype(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/corosync_selinux.8 b/man/man8/corosync_selinux.8
new file mode 100644
-index 0000000..c4f9340
+index 0000000..b4e5a70
--- /dev/null
+++ b/man/man8/corosync_selinux.8
-@@ -0,0 +1,265 @@
+@@ -0,0 +1,276 @@
+.TH "corosync_selinux" "8" "corosync" "dwalsh at redhat.com" "corosync SELinux Policy documentation"
+.SH "NAME"
+corosync_selinux \- Security Enhanced Linux Policy for the corosync processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the corosync processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the corosync processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The corosync processes execute with the corosync_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the corosync_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep corosync_t
++
++
++.SH "ENTRYPOINTS"
+
++The corosync_t SELinux type can be entered via the "corosync_exec_t" file type. The default entrypoint paths for the corosync_t domain are the following:"
++
++/usr/sbin/ccs_tool, /usr/sbin/corosync, /usr/sbin/corosync-notifyd, /usr/sbin/cman_tool
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the corosync_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux corosync policy is very flexible allowing users to setup their corosync processes in as secure a method as possible.
++.PP
++The following process types are defined for corosync:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B corosync_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -13863,27 +14954,9 @@ index 0000000..c4f9340
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux corosync policy is very flexible allowing users to setup their corosync processes in as secure a method as possible.
-+.PP
-+The following process types are defined for corosync:
-+
-+.EX
-+.B corosync_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type corosync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type corosync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cluster_tmpfs
@@ -13995,6 +15068,22 @@ index 0000000..c4f9340
+ /var/lib(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the corosync_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the corosync_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -14016,33 +15105,46 @@ index 0000000..c4f9340
+selinux(8), corosync(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/couchdb_selinux.8 b/man/man8/couchdb_selinux.8
new file mode 100644
-index 0000000..c1235b5
+index 0000000..0c7a670
--- /dev/null
+++ b/man/man8/couchdb_selinux.8
-@@ -0,0 +1,189 @@
+@@ -0,0 +1,200 @@
+.TH "couchdb_selinux" "8" "couchdb" "dwalsh at redhat.com" "couchdb SELinux Policy documentation"
+.SH "NAME"
+couchdb_selinux \- Security Enhanced Linux Policy for the couchdb processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the couchdb processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the couchdb processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The couchdb processes execute with the couchdb_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the couchdb_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep couchdb_t
+
++
++.SH "ENTRYPOINTS"
++
++The couchdb_t SELinux type can be entered via the "couchdb_exec_t" file type. The default entrypoint paths for the couchdb_t domain are the following:"
++
++/usr/bin/couchdb
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the couchdb_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
++.PP
++The following process types are defined for couchdb:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B couchdb_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -14143,27 +15245,9 @@ index 0000000..c1235b5
+.EE
+udp 5984
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible.
-+.PP
-+The following process types are defined for couchdb:
-+
-+.EX
-+.B couchdb_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type couchdb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type couchdb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B couchdb_log_t
@@ -14187,6 +15271,22 @@ index 0000000..c1235b5
+ /var/run/couchdb(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the couchdb_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the couchdb_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -14211,33 +15311,46 @@ index 0000000..c1235b5
+selinux(8), couchdb(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/courier_authdaemon_selinux.8 b/man/man8/courier_authdaemon_selinux.8
new file mode 100644
-index 0000000..2d2507b
+index 0000000..f9dbba1
--- /dev/null
+++ b/man/man8/courier_authdaemon_selinux.8
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,139 @@
+.TH "courier_authdaemon_selinux" "8" "courier_authdaemon" "dwalsh at redhat.com" "courier_authdaemon SELinux Policy documentation"
+.SH "NAME"
+courier_authdaemon_selinux \- Security Enhanced Linux Policy for the courier_authdaemon processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the courier_authdaemon processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the courier_authdaemon processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The courier_authdaemon processes execute with the courier_authdaemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the courier_authdaemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep courier_authdaemon_t
++
++
++.SH "ENTRYPOINTS"
++
++The courier_authdaemon_t SELinux type can be entered via the "courier_authdaemon_exec_t" file type. The default entrypoint paths for the courier_authdaemon_t domain are the following:"
+
++/usr/sbin/authdaemond, /usr/lib/courier/authlib/.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the courier_authdaemon_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux courier_authdaemon policy is very flexible allowing users to setup their courier_authdaemon processes in as secure a method as possible.
++.PP
++The following process types are defined for courier_authdaemon:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B courier_authdaemon_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -14269,27 +15382,9 @@ index 0000000..2d2507b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux courier_authdaemon policy is very flexible allowing users to setup their courier_authdaemon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for courier_authdaemon:
-+
-+.EX
-+.B courier_authdaemon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type courier_authdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type courier_authdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B courier_var_run_t
@@ -14323,6 +15418,22 @@ index 0000000..2d2507b
+ /var/run/pcscd\.comm
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the courier_authdaemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the courier_authdaemon_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -14342,21 +15453,50 @@ index 0000000..2d2507b
+
+.SH "SEE ALSO"
+selinux(8), courier_authdaemon(8), semanage(8), restorecon(8), chcon(1)
++, courier_pcp_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/courier_pcp_selinux.8 b/man/man8/courier_pcp_selinux.8
new file mode 100644
-index 0000000..d8e70f5
+index 0000000..6d77b62
--- /dev/null
+++ b/man/man8/courier_pcp_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,95 @@
+.TH "courier_pcp_selinux" "8" "courier_pcp" "dwalsh at redhat.com" "courier_pcp SELinux Policy documentation"
+.SH "NAME"
+courier_pcp_selinux \- Security Enhanced Linux Policy for the courier_pcp processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the courier_pcp processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the courier_pcp processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The courier_pcp processes execute with the courier_pcp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep courier_pcp_t
++
++
++.SH "ENTRYPOINTS"
++
++The courier_pcp_t SELinux type can be entered via the "courier_pcp_exec_t" file type. The default entrypoint paths for the courier_pcp_t domain are the following:"
++
++/usr/lib/courier/courier/pcpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux courier_pcp policy is very flexible allowing users to setup their courier_pcp processes in as secure a method as possible.
++.PP
++The following process types are defined for courier_pcp:
++
++.EX
++.B courier_pcp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -14384,27 +15524,9 @@ index 0000000..d8e70f5
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux courier_pcp policy is very flexible allowing users to setup their courier_pcp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for courier_pcp:
-+
-+.EX
-+.B courier_pcp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type courier_pcp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type courier_pcp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B courier_var_run_t
@@ -14412,6 +15534,8 @@ index 0000000..d8e70f5
+ /var/run/courier(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -14431,21 +15555,50 @@ index 0000000..d8e70f5
+
+.SH "SEE ALSO"
+selinux(8), courier_pcp(8), semanage(8), restorecon(8), chcon(1)
++, courier_authdaemon_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/courier_pop_selinux.8 b/man/man8/courier_pop_selinux.8
new file mode 100644
-index 0000000..59be1e0
+index 0000000..96e857a
--- /dev/null
+++ b/man/man8/courier_pop_selinux.8
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,109 @@
+.TH "courier_pop_selinux" "8" "courier_pop" "dwalsh at redhat.com" "courier_pop SELinux Policy documentation"
+.SH "NAME"
+courier_pop_selinux \- Security Enhanced Linux Policy for the courier_pop processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the courier_pop processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the courier_pop processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The courier_pop processes execute with the courier_pop_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep courier_pop_t
++
++
++.SH "ENTRYPOINTS"
++
++The courier_pop_t SELinux type can be entered via the "courier_pop_exec_t" file type. The default entrypoint paths for the courier_pop_t domain are the following:"
++
++/usr/lib/courier/imapd, /usr/lib/courier/courier/courierpop.*, /usr/lib/courier/pop3d, /usr/lib/courier/courier/imaplogin, /usr/bin/imapd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux courier_pop policy is very flexible allowing users to setup their courier_pop processes in as secure a method as possible.
++.PP
++The following process types are defined for courier_pop:
++
++.EX
++.B courier_pop_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -14477,27 +15630,9 @@ index 0000000..59be1e0
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux courier_pop policy is very flexible allowing users to setup their courier_pop processes in as secure a method as possible.
-+.PP
-+The following process types are defined for courier_pop:
-+
-+.EX
-+.B courier_pop_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type courier_pop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type courier_pop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B courier_var_run_t
@@ -14510,6 +15645,12 @@ index 0000000..59be1e0
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -14530,21 +15671,50 @@ index 0000000..59be1e0
+
+.SH "SEE ALSO"
+selinux(8), courier_pop(8), semanage(8), restorecon(8), chcon(1)
++, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/courier_sqwebmail_selinux.8 b/man/man8/courier_sqwebmail_selinux.8
new file mode 100644
-index 0000000..c6ca9b6
+index 0000000..0e6c094
--- /dev/null
+++ b/man/man8/courier_sqwebmail_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,95 @@
+.TH "courier_sqwebmail_selinux" "8" "courier_sqwebmail" "dwalsh at redhat.com" "courier_sqwebmail SELinux Policy documentation"
+.SH "NAME"
+courier_sqwebmail_selinux \- Security Enhanced Linux Policy for the courier_sqwebmail processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the courier_sqwebmail processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the courier_sqwebmail processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The courier_sqwebmail processes execute with the courier_sqwebmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep courier_sqwebmail_t
++
++
++.SH "ENTRYPOINTS"
++
++The courier_sqwebmail_t SELinux type can be entered via the "courier_sqwebmail_exec_t" file type. The default entrypoint paths for the courier_sqwebmail_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux courier_sqwebmail policy is very flexible allowing users to setup their courier_sqwebmail processes in as secure a method as possible.
++.PP
++The following process types are defined for courier_sqwebmail:
++
++.EX
++.B courier_sqwebmail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -14572,27 +15742,9 @@ index 0000000..c6ca9b6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux courier_sqwebmail policy is very flexible allowing users to setup their courier_sqwebmail processes in as secure a method as possible.
-+.PP
-+The following process types are defined for courier_sqwebmail:
-+
-+.EX
-+.B courier_sqwebmail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type courier_sqwebmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type courier_sqwebmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B courier_var_run_t
@@ -14600,6 +15752,8 @@ index 0000000..c6ca9b6
+ /var/run/courier(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -14619,21 +15773,50 @@ index 0000000..c6ca9b6
+
+.SH "SEE ALSO"
+selinux(8), courier_sqwebmail(8), semanage(8), restorecon(8), chcon(1)
++, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_tcpd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/courier_tcpd_selinux.8 b/man/man8/courier_tcpd_selinux.8
new file mode 100644
-index 0000000..dc5b5dc
+index 0000000..29f69f1
--- /dev/null
+++ b/man/man8/courier_tcpd_selinux.8
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,103 @@
+.TH "courier_tcpd_selinux" "8" "courier_tcpd" "dwalsh at redhat.com" "courier_tcpd SELinux Policy documentation"
+.SH "NAME"
+courier_tcpd_selinux \- Security Enhanced Linux Policy for the courier_tcpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the courier_tcpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the courier_tcpd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The courier_tcpd processes execute with the courier_tcpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep courier_tcpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The courier_tcpd_t SELinux type can be entered via the "courier_tcpd_exec_t" file type. The default entrypoint paths for the courier_tcpd_t domain are the following:"
++
++/usr/sbin/couriertcpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux courier_tcpd policy is very flexible allowing users to setup their courier_tcpd processes in as secure a method as possible.
++.PP
++The following process types are defined for courier_tcpd:
++
++.EX
++.B courier_tcpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -14661,27 +15844,9 @@ index 0000000..dc5b5dc
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux courier_tcpd policy is very flexible allowing users to setup their courier_tcpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for courier_tcpd:
-+
-+.EX
-+.B courier_tcpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type courier_tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type courier_tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B courier_var_lib_t
@@ -14697,6 +15862,8 @@ index 0000000..dc5b5dc
+ /var/run/courier(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -14716,21 +15883,50 @@ index 0000000..dc5b5dc
+
+.SH "SEE ALSO"
+selinux(8), courier_tcpd(8), semanage(8), restorecon(8), chcon(1)
++, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/cpucontrol_selinux.8 b/man/man8/cpucontrol_selinux.8
new file mode 100644
-index 0000000..238081d
+index 0000000..141c803
--- /dev/null
+++ b/man/man8/cpucontrol_selinux.8
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,100 @@
+.TH "cpucontrol_selinux" "8" "cpucontrol" "dwalsh at redhat.com" "cpucontrol SELinux Policy documentation"
+.SH "NAME"
+cpucontrol_selinux \- Security Enhanced Linux Policy for the cpucontrol processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cpucontrol processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cpucontrol processes via flexible mandatory access control.
++
++The cpucontrol processes execute with the cpucontrol_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cpucontrol_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The cpucontrol_t SELinux type can be entered via the "cpucontrol_exec_t" file type. The default entrypoint paths for the cpucontrol_t domain are the following:"
++
++/sbin/microcode_ctl, /usr/sbin/microcode_ctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cpucontrol policy is very flexible allowing users to setup their cpucontrol processes in as secure a method as possible.
++.PP
++The following process types are defined for cpucontrol:
++
++.EX
++.B cpucontrol_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -14770,27 +15966,11 @@ index 0000000..238081d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cpucontrol policy is very flexible allowing users to setup their cpucontrol processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cpucontrol:
-+
-+.EX
-+.B cpucontrol_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cpucontrol_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cpucontrol_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -14813,19 +15993,46 @@ index 0000000..238081d
+selinux(8), cpucontrol(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cpufreqselector_selinux.8 b/man/man8/cpufreqselector_selinux.8
new file mode 100644
-index 0000000..fbdece6
+index 0000000..e0e5950
--- /dev/null
+++ b/man/man8/cpufreqselector_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,94 @@
+.TH "cpufreqselector_selinux" "8" "cpufreqselector" "dwalsh at redhat.com" "cpufreqselector SELinux Policy documentation"
+.SH "NAME"
+cpufreqselector_selinux \- Security Enhanced Linux Policy for the cpufreqselector processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cpufreqselector processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cpufreqselector processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cpufreqselector processes execute with the cpufreqselector_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cpufreqselector_t
++
++
++.SH "ENTRYPOINTS"
++
++The cpufreqselector_t SELinux type can be entered via the "cpufreqselector_exec_t" file type. The default entrypoint paths for the cpufreqselector_t domain are the following:"
++
++/usr/bin/cpufreq-selector
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cpufreqselector policy is very flexible allowing users to setup their cpufreqselector processes in as secure a method as possible.
++.PP
++The following process types are defined for cpufreqselector:
++
++.EX
++.B cpufreqselector_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -14853,27 +16060,9 @@ index 0000000..fbdece6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cpufreqselector policy is very flexible allowing users to setup their cpufreqselector processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cpufreqselector:
-+
-+.EX
-+.B cpufreqselector_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cpufreqselector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cpufreqselector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sysfs_t
@@ -14881,6 +16070,8 @@ index 0000000..fbdece6
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -14902,19 +16093,46 @@ index 0000000..fbdece6
+selinux(8), cpufreqselector(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cpuspeed_selinux.8 b/man/man8/cpuspeed_selinux.8
new file mode 100644
-index 0000000..e878313
+index 0000000..130c2d7
--- /dev/null
+++ b/man/man8/cpuspeed_selinux.8
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,112 @@
+.TH "cpuspeed_selinux" "8" "cpuspeed" "dwalsh at redhat.com" "cpuspeed SELinux Policy documentation"
+.SH "NAME"
+cpuspeed_selinux \- Security Enhanced Linux Policy for the cpuspeed processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cpuspeed processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cpuspeed processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cpuspeed processes execute with the cpuspeed_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cpuspeed_t
++
++
++.SH "ENTRYPOINTS"
++
++The cpuspeed_t SELinux type can be entered via the "cpuspeed_exec_t" file type. The default entrypoint paths for the cpuspeed_t domain are the following:"
++
++/usr/sbin/cpuspeed, /usr/sbin/powernowd, /usr/sbin/cpufreqd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cpuspeed policy is very flexible allowing users to setup their cpuspeed processes in as secure a method as possible.
++.PP
++The following process types are defined for cpuspeed:
++
++.EX
++.B cpuspeed_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -14954,27 +16172,9 @@ index 0000000..e878313
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cpuspeed policy is very flexible allowing users to setup their cpuspeed processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cpuspeed:
-+
-+.EX
-+.B cpuspeed_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cpuspeed_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cpuspeed_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cpuspeed_var_run_t
@@ -14988,6 +16188,8 @@ index 0000000..e878313
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -15009,19 +16211,46 @@ index 0000000..e878313
+selinux(8), cpuspeed(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/crack_selinux.8 b/man/man8/crack_selinux.8
new file mode 100644
-index 0000000..763e0d4
+index 0000000..4b3aa2f
--- /dev/null
+++ b/man/man8/crack_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,126 @@
+.TH "crack_selinux" "8" "crack" "dwalsh at redhat.com" "crack SELinux Policy documentation"
+.SH "NAME"
+crack_selinux \- Security Enhanced Linux Policy for the crack processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the crack processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the crack processes via flexible mandatory access control.
++
++The crack processes execute with the crack_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep crack_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The crack_t SELinux type can be entered via the "crack_exec_t" file type. The default entrypoint paths for the crack_t domain are the following:"
++
++/usr/sbin/cracklib-[a-z]*, /usr/sbin/crack_[a-z]*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux crack policy is very flexible allowing users to setup their crack processes in as secure a method as possible.
++.PP
++The following process types are defined for crack:
++
++.EX
++.B crack_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -15073,27 +16302,9 @@ index 0000000..763e0d4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux crack policy is very flexible allowing users to setup their crack processes in as secure a method as possible.
-+.PP
-+The following process types are defined for crack:
-+
-+.EX
-+.B crack_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type crack_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type crack_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B crack_db_t
@@ -15109,6 +16320,8 @@ index 0000000..763e0d4
+.B crack_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -15130,50 +16343,63 @@ index 0000000..763e0d4
+selinux(8), crack(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/crond_selinux.8 b/man/man8/crond_selinux.8
new file mode 100644
-index 0000000..107d65b
+index 0000000..9c37542
--- /dev/null
+++ b/man/man8/crond_selinux.8
-@@ -0,0 +1,295 @@
+@@ -0,0 +1,306 @@
+.TH "crond_selinux" "8" "crond" "dwalsh at redhat.com" "crond SELinux Policy documentation"
+.SH "NAME"
+crond_selinux \- Security Enhanced Linux Policy for the crond processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the crond processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the crond processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. crond policy is extremely flexible and has several booleans that allow you to manipulate the policy and run crond with the tightest access possible.
++The crond processes execute with the crond_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to enable extra rules in the cron domain to support fcron, you must turn on the fcron_crond boolean.
++.B ps -eZ | grep crond_t
+
-+.EX
-+.B setsebool -P fcron_crond 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The crond_t SELinux type can be entered via the "crond_exec_t" file type. The default entrypoint paths for the crond_t domain are the following:"
++
++/usr/sbin/fcron, /usr/sbin/cron(d)?, /usr/sbin/atd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow system cron jobs to relabel filesystem for restoring file contexts, you must turn on the cron_can_relabel boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible.
++.PP
++The following process types are defined for crond:
+
+.EX
-+.B setsebool -P cron_can_relabel 1
++.B crond_t, cronjob_t, crontab_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. crond policy is extremely flexible and has several booleans that allow you to manipulate the policy and run crond with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, crond_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to enable extra rules in the cron domain to support fcron, you must turn on the fcron_crond boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P fcron_crond 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the crontab_t, crond_t, you must turn on the kerberos_enabled boolean.
++If you want to allow system cron jobs to relabel filesystem for restoring file contexts, you must turn on the cron_can_relabel boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P cron_can_relabel 1
+.EE
+
+.SH FILE CONTEXTS
@@ -15246,27 +16472,9 @@ index 0000000..107d65b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible.
-+.PP
-+The following process types are defined for crond:
-+
-+.EX
-+.B crond_t, cronjob_t, crontab_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type crond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type crond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cgroup_t
@@ -15406,6 +16614,22 @@ index 0000000..107d65b
+ /var/lib/google-authenticator(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, crond_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the crontab_t, crond_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -15432,33 +16656,46 @@ index 0000000..107d65b
\ No newline at end of file
diff --git a/man/man8/crontab_selinux.8 b/man/man8/crontab_selinux.8
new file mode 100644
-index 0000000..c371dff
+index 0000000..57f2c5b
--- /dev/null
+++ b/man/man8/crontab_selinux.8
-@@ -0,0 +1,177 @@
+@@ -0,0 +1,192 @@
+.TH "crontab_selinux" "8" "crontab" "dwalsh at redhat.com" "crontab SELinux Policy documentation"
+.SH "NAME"
+crontab_selinux \- Security Enhanced Linux Policy for the crontab processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the crontab processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the crontab processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The crontab processes execute with the crontab_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep crontab_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The crontab_t SELinux type can be entered via the "crontab_exec_t" file type. The default entrypoint paths for the crontab_t domain are the following:"
++
++/usr/bin/(f)?crontab, /usr/sbin/fcronsighup, /usr/bin/at
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the crontab_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux crontab policy is very flexible allowing users to setup their crontab processes in as secure a method as possible.
++.PP
++The following process types are defined for crontab:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B crontab_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -15498,27 +16735,9 @@ index 0000000..c371dff
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux crontab policy is very flexible allowing users to setup their crontab processes in as secure a method as possible.
-+.PP
-+The following process types are defined for crontab:
-+
-+.EX
-+.B crontab_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type crontab_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type crontab_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cgroup_t
@@ -15573,6 +16792,10 @@ index 0000000..c371dff
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
+
+.br
+.B var_auth_t
@@ -15594,6 +16817,22 @@ index 0000000..c371dff
+ /var/lib/google-authenticator(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the crontab_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -15615,19 +16854,46 @@ index 0000000..c371dff
+selinux(8), crontab(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ctdbd_selinux.8 b/man/man8/ctdbd_selinux.8
new file mode 100644
-index 0000000..511c22e
+index 0000000..255ab0a
--- /dev/null
+++ b/man/man8/ctdbd_selinux.8
-@@ -0,0 +1,209 @@
+@@ -0,0 +1,220 @@
+.TH "ctdbd_selinux" "8" "ctdbd" "dwalsh at redhat.com" "ctdbd SELinux Policy documentation"
+.SH "NAME"
+ctdbd_selinux \- Security Enhanced Linux Policy for the ctdbd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ctdbd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ctdbd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ctdbd processes execute with the ctdbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ctdbd_t
++
++
++.SH "ENTRYPOINTS"
++
++The ctdbd_t SELinux type can be entered via the "ctdbd_exec_t" file type. The default entrypoint paths for the ctdbd_t domain are the following:"
++
++/usr/sbin/ctdbd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible.
++.PP
++The following process types are defined for ctdbd:
++
++.EX
++.B ctdbd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -15732,27 +16998,9 @@ index 0000000..511c22e
+.EE
+udp 4379
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ctdbd:
-+
-+.EX
-+.B ctdbd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ctdbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ctdbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ctdbd_log_t
@@ -15806,6 +17054,8 @@ index 0000000..511c22e
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -15830,33 +17080,46 @@ index 0000000..511c22e
+selinux(8), ctdbd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cups_pdf_selinux.8 b/man/man8/cups_pdf_selinux.8
new file mode 100644
-index 0000000..2aaabe2
+index 0000000..19f90ea
--- /dev/null
+++ b/man/man8/cups_pdf_selinux.8
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,149 @@
+.TH "cups_pdf_selinux" "8" "cups_pdf" "dwalsh at redhat.com" "cups_pdf SELinux Policy documentation"
+.SH "NAME"
+cups_pdf_selinux \- Security Enhanced Linux Policy for the cups_pdf processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cups_pdf processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cups_pdf processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cups_pdf processes execute with the cups_pdf_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep cups_pdf_t
+
++
++.SH "ENTRYPOINTS"
++
++The cups_pdf_t SELinux type can be entered via the "cups_pdf_exec_t" file type. The default entrypoint paths for the cups_pdf_t domain are the following:"
++
++/usr/lib/cups/backend/cups-pdf
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the cups_pdf_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cups_pdf policy is very flexible allowing users to setup their cups_pdf processes in as secure a method as possible.
++.PP
++The following process types are defined for cups_pdf:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B cups_pdf_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -15892,27 +17155,9 @@ index 0000000..2aaabe2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cups_pdf policy is very flexible allowing users to setup their cups_pdf processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cups_pdf:
-+
-+.EX
-+.B cups_pdf_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cups_pdf_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cups_pdf_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -15947,6 +17192,26 @@ index 0000000..2aaabe2
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cups_pdf_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -15967,35 +17232,50 @@ index 0000000..2aaabe2
+
+.SH "SEE ALSO"
+selinux(8), cups_pdf(8), semanage(8), restorecon(8), chcon(1)
++, cupsd_selinux(8), cupsd_config_selinux(8), cupsd_lpd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/cupsd_config_selinux.8 b/man/man8/cupsd_config_selinux.8
new file mode 100644
-index 0000000..2c6ca80
+index 0000000..a1afd7f
--- /dev/null
+++ b/man/man8/cupsd_config_selinux.8
-@@ -0,0 +1,192 @@
+@@ -0,0 +1,207 @@
+.TH "cupsd_config_selinux" "8" "cupsd_config" "dwalsh at redhat.com" "cupsd_config SELinux Policy documentation"
+.SH "NAME"
+cupsd_config_selinux \- Security Enhanced Linux Policy for the cupsd_config processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cupsd_config processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cupsd_config processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cupsd_config processes execute with the cupsd_config_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cupsd_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep cupsd_config_t
+
++
++.SH "ENTRYPOINTS"
++
++The cupsd_config_t SELinux type can be entered via the "cupsd_config_exec_t" file type. The default entrypoint paths for the cupsd_config_t domain are the following:"
++
++/usr/sbin/printconf-backend, /usr/sbin/hal_lpadmin, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism, /usr/bin/cups-config-daemon, /usr/libexec/hal_lpadmin, /lib/udev/udev-configure-printer
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the cupsd_config_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cupsd_config policy is very flexible allowing users to setup their cupsd_config processes in as secure a method as possible.
++.PP
++The following process types are defined for cupsd_config:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B cupsd_config_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -16018,7 +17298,7 @@ index 0000000..2c6ca80
+.br
+.TP 5
+Paths:
-+/usr/sbin/printconf-backend, /usr/sbin/hal_lpadmin, /usr/lib/udev/udev-configure-printer, /usr/bin/cups-config-daemon, /usr/libexec/cups-pk-helper-mechanism, /usr/libexec/hal_lpadmin, /lib/udev/udev-configure-printer
++/usr/sbin/printconf-backend, /usr/sbin/hal_lpadmin, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism, /usr/bin/cups-config-daemon, /usr/libexec/hal_lpadmin, /lib/udev/udev-configure-printer
+
+.EX
+.PP
@@ -16035,27 +17315,9 @@ index 0000000..2c6ca80
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cupsd_config policy is very flexible allowing users to setup their cupsd_config processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cupsd_config:
-+
-+.EX
-+.B cupsd_config_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cupsd_config_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cupsd_config_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cupsd_config_var_run_t
@@ -16144,6 +17406,26 @@ index 0000000..2c6ca80
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cupsd_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cupsd_config_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -16164,37 +17446,50 @@ index 0000000..2c6ca80
+
+.SH "SEE ALSO"
+selinux(8), cupsd_config(8), semanage(8), restorecon(8), chcon(1)
-+, cupsd_selinux(8)
++, cupsd_selinux(8), cupsd_selinux(8), cupsd_lpd_selinux(8)
\ No newline at end of file
diff --git a/man/man8/cupsd_lpd_selinux.8 b/man/man8/cupsd_lpd_selinux.8
new file mode 100644
-index 0000000..1e6a8d8
+index 0000000..3f1d5b7
--- /dev/null
+++ b/man/man8/cupsd_lpd_selinux.8
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,127 @@
+.TH "cupsd_lpd_selinux" "8" "cupsd_lpd" "dwalsh at redhat.com" "cupsd_lpd SELinux Policy documentation"
+.SH "NAME"
+cupsd_lpd_selinux \- Security Enhanced Linux Policy for the cupsd_lpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cupsd_lpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cupsd_lpd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cupsd_lpd processes execute with the cupsd_lpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cupsd_lpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep cupsd_lpd_t
+
++
++.SH "ENTRYPOINTS"
++
++The cupsd_lpd_t SELinux type can be entered via the "cupsd_lpd_exec_t" file type. The default entrypoint paths for the cupsd_lpd_t domain are the following:"
++
++/usr/lib/cups/daemon/cups-lpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the cupsd_lpd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cupsd_lpd policy is very flexible allowing users to setup their cupsd_lpd processes in as secure a method as possible.
++.PP
++The following process types are defined for cupsd_lpd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B cupsd_lpd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -16238,27 +17533,9 @@ index 0000000..1e6a8d8
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cupsd_lpd policy is very flexible allowing users to setup their cupsd_lpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cupsd_lpd:
-+
-+.EX
-+.B cupsd_lpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cupsd_lpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cupsd_lpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cupsd_lpd_tmp_t
@@ -16268,6 +17545,22 @@ index 0000000..1e6a8d8
+.B cupsd_lpd_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cupsd_lpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cupsd_lpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -16287,37 +17580,50 @@ index 0000000..1e6a8d8
+
+.SH "SEE ALSO"
+selinux(8), cupsd_lpd(8), semanage(8), restorecon(8), chcon(1)
-+, cupsd_selinux(8)
++, cupsd_selinux(8), cupsd_selinux(8), cupsd_config_selinux(8)
\ No newline at end of file
diff --git a/man/man8/cupsd_selinux.8 b/man/man8/cupsd_selinux.8
new file mode 100644
-index 0000000..a960b0d
+index 0000000..4b2650a
--- /dev/null
+++ b/man/man8/cupsd_selinux.8
-@@ -0,0 +1,390 @@
+@@ -0,0 +1,401 @@
+.TH "cupsd_selinux" "8" "cupsd" "dwalsh at redhat.com" "cupsd SELinux Policy documentation"
+.SH "NAME"
+cupsd_selinux \- Security Enhanced Linux Policy for the cupsd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cupsd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cupsd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cupsd processes execute with the cupsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep cupsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The cupsd_t SELinux type can be entered via the "cupsd_exec_t" file type. The default entrypoint paths for the cupsd_t domain are the following:"
+
++/usr/sbin/cupsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cupsd policy is very flexible allowing users to setup their cupsd processes in as secure a method as possible.
++.PP
++The following process types are defined for cupsd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B cupsd_t, cupsd_config_t, cupsd_lpd_t, cups_pdf_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -16340,7 +17646,7 @@ index 0000000..a960b0d
+.br
+.TP 5
+Paths:
-+/usr/sbin/printconf-backend, /usr/sbin/hal_lpadmin, /usr/lib/udev/udev-configure-printer, /usr/bin/cups-config-daemon, /usr/libexec/cups-pk-helper-mechanism, /usr/libexec/hal_lpadmin, /lib/udev/udev-configure-printer
++/usr/sbin/printconf-backend, /usr/sbin/hal_lpadmin, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism, /usr/bin/cups-config-daemon, /usr/libexec/hal_lpadmin, /lib/udev/udev-configure-printer
+
+.EX
+.PP
@@ -16477,27 +17783,9 @@ index 0000000..a960b0d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cupsd policy is very flexible allowing users to setup their cupsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cupsd:
-+
-+.EX
-+.B cupsd_t, cupsd_config_t, cupsd_lpd_t, cups_pdf_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cupsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cupsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cupsd_interface_t
@@ -16665,6 +17953,22 @@ index 0000000..a960b0d
+.B usbfs_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -16688,43 +17992,56 @@ index 0000000..a960b0d
\ No newline at end of file
diff --git a/man/man8/cvs_selinux.8 b/man/man8/cvs_selinux.8
new file mode 100644
-index 0000000..6b0198f
+index 0000000..83bc267
--- /dev/null
+++ b/man/man8/cvs_selinux.8
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,231 @@
+.TH "cvs_selinux" "8" "cvs" "dwalsh at redhat.com" "cvs SELinux Policy documentation"
+.SH "NAME"
+cvs_selinux \- Security Enhanced Linux Policy for the cvs processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cvs processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cvs processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. cvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cvs with the tightest access possible.
++The cvs processes execute with the cvs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow cvs daemon to read shadow, you must turn on the cvs_read_shadow boolean.
++.B ps -eZ | grep cvs_t
+
-+.EX
-+.B setsebool -P cvs_read_shadow 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The cvs_t SELinux type can be entered via the "cvs_exec_t" file type. The default entrypoint paths for the cvs_t domain are the following:"
++
++/usr/bin/cvs
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible.
++.PP
++The following process types are defined for cvs:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B cvs_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. cvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cvs with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the cvs_t, you must turn on the kerberos_enabled boolean.
++If you want to allow cvs daemon to read shadow, you must turn on the cvs_read_shadow boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P cvs_read_shadow 1
+.EE
+
+.SH FILE CONTEXTS
@@ -16822,27 +18139,9 @@ index 0000000..6b0198f
+.EE
+udp 2401
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cvs:
-+
-+.EX
-+.B cvs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cvs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cvs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cvs_data_t
@@ -16886,6 +18185,22 @@ index 0000000..6b0198f
+ /var/run/pcscd\.comm
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cvs_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -16915,19 +18230,46 @@ index 0000000..6b0198f
\ No newline at end of file
diff --git a/man/man8/cyphesis_selinux.8 b/man/man8/cyphesis_selinux.8
new file mode 100644
-index 0000000..06be409
+index 0000000..2dc2eef
--- /dev/null
+++ b/man/man8/cyphesis_selinux.8
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,152 @@
+.TH "cyphesis_selinux" "8" "cyphesis" "dwalsh at redhat.com" "cyphesis SELinux Policy documentation"
+.SH "NAME"
+cyphesis_selinux \- Security Enhanced Linux Policy for the cyphesis processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cyphesis processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cyphesis processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cyphesis processes execute with the cyphesis_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep cyphesis_t
++
++
++.SH "ENTRYPOINTS"
++
++The cyphesis_t SELinux type can be entered via the "cyphesis_exec_t" file type. The default entrypoint paths for the cyphesis_t domain are the following:"
++
++/usr/bin/cyphesis
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible.
++.PP
++The following process types are defined for cyphesis:
++
++.EX
++.B cyphesis_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -17004,27 +18346,9 @@ index 0000000..06be409
+.EE
+udp 32771
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cyphesis:
-+
-+.EX
-+.B cyphesis_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cyphesis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cyphesis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cyphesis_log_t
@@ -17038,6 +18362,8 @@ index 0000000..06be409
+ /var/run/cyphesis(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -17062,33 +18388,46 @@ index 0000000..06be409
+selinux(8), cyphesis(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cyrus_selinux.8 b/man/man8/cyrus_selinux.8
new file mode 100644
-index 0000000..8208a25
+index 0000000..1a18766
--- /dev/null
+++ b/man/man8/cyrus_selinux.8
-@@ -0,0 +1,165 @@
+@@ -0,0 +1,176 @@
+.TH "cyrus_selinux" "8" "cyrus" "dwalsh at redhat.com" "cyrus SELinux Policy documentation"
+.SH "NAME"
+cyrus_selinux \- Security Enhanced Linux Policy for the cyrus processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the cyrus processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the cyrus processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The cyrus processes execute with the cyrus_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cyrus_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep cyrus_t
++
++
++.SH "ENTRYPOINTS"
++
++The cyrus_t SELinux type can be entered via the "cyrus_exec_t" file type. The default entrypoint paths for the cyrus_t domain are the following:"
+
++/usr/lib/cyrus-imapd/cyrus-master, /usr/lib/cyrus/master
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the cyrus_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux cyrus policy is very flexible allowing users to setup their cyrus processes in as secure a method as possible.
++.PP
++The following process types are defined for cyrus:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B cyrus_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -17164,27 +18503,9 @@ index 0000000..8208a25
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux cyrus policy is very flexible allowing users to setup their cyrus processes in as secure a method as possible.
-+.PP
-+The following process types are defined for cyrus:
-+
-+.EX
-+.B cyrus_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type cyrus_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type cyrus_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cyrus_tmp_t
@@ -17212,6 +18533,22 @@ index 0000000..8208a25
+ /var/spool/mail(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cyrus_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the cyrus_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -17233,10 +18570,10 @@ index 0000000..8208a25
+selinux(8), cyrus(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dbadm_selinux.8 b/man/man8/dbadm_selinux.8
new file mode 100644
-index 0000000..cd160a1
+index 0000000..64bb7e5
--- /dev/null
+++ b/man/man8/dbadm_selinux.8
-@@ -0,0 +1,198 @@
+@@ -0,0 +1,202 @@
+.TH "dbadm_selinux" "8" "dbadm" "mgrepl at redhat.com" "dbadm SELinux Policy documentation"
+.SH "NAME"
+dbadm_r \- \fBDatabase administrator role\fP - Security Enhanced Linux Policy
@@ -17306,7 +18643,7 @@ index 0000000..cd160a1
+
+.SH "MANAGED FILES"
+
-+The SELinux user type dbadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dbadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mysqld_db_t
@@ -17329,6 +18666,10 @@ index 0000000..cd160a1
+.br
+ /home/[^/]*/\.my\.cnf
+.br
++ /home/dwalsh/\.my\.cnf
++.br
++ /var/lib/xguest/home/xguest/\.my\.cnf
++.br
+
+.br
+.B mysqld_log_t
@@ -17438,33 +18779,46 @@ index 0000000..cd160a1
\ No newline at end of file
diff --git a/man/man8/dbskkd_selinux.8 b/man/man8/dbskkd_selinux.8
new file mode 100644
-index 0000000..702c0d6
+index 0000000..a464792
--- /dev/null
+++ b/man/man8/dbskkd_selinux.8
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,152 @@
+.TH "dbskkd_selinux" "8" "dbskkd" "dwalsh at redhat.com" "dbskkd SELinux Policy documentation"
+.SH "NAME"
+dbskkd_selinux \- Security Enhanced Linux Policy for the dbskkd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dbskkd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dbskkd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dbskkd processes execute with the dbskkd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dbskkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep dbskkd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The dbskkd_t SELinux type can be entered via the "dbskkd_exec_t" file type. The default entrypoint paths for the dbskkd_t domain are the following:"
++
++/usr/sbin/dbskkd-cdb
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dbskkd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible.
++.PP
++The following process types are defined for dbskkd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dbskkd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -17531,27 +18885,9 @@ index 0000000..702c0d6
+Default Defined Ports:
+tcp 1178
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dbskkd:
-+
-+.EX
-+.B dbskkd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dbskkd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dbskkd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dbskkd_tmp_t
@@ -17561,6 +18897,22 @@ index 0000000..702c0d6
+.B dbskkd_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dbskkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dbskkd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -17585,33 +18937,46 @@ index 0000000..702c0d6
+selinux(8), dbskkd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dcc_client_selinux.8 b/man/man8/dcc_client_selinux.8
new file mode 100644
-index 0000000..98c2a6b
+index 0000000..50527e4
--- /dev/null
+++ b/man/man8/dcc_client_selinux.8
-@@ -0,0 +1,137 @@
+@@ -0,0 +1,149 @@
+.TH "dcc_client_selinux" "8" "dcc_client" "dwalsh at redhat.com" "dcc_client SELinux Policy documentation"
+.SH "NAME"
+dcc_client_selinux \- Security Enhanced Linux Policy for the dcc_client processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dcc_client processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dcc_client processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dcc_client processes execute with the dcc_client_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dcc_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep dcc_client_t
++
++
++.SH "ENTRYPOINTS"
+
++The dcc_client_t SELinux type can be entered via the "dcc_client_exec_t" file type. The default entrypoint paths for the dcc_client_t domain are the following:"
++
++/usr/bin/dccproc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dcc_client_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dcc_client policy is very flexible allowing users to setup their dcc_client processes in as secure a method as possible.
++.PP
++The following process types are defined for dcc_client:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dcc_client_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -17659,27 +19024,9 @@ index 0000000..98c2a6b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dcc_client policy is very flexible allowing users to setup their dcc_client processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dcc_client:
-+
-+.EX
-+.B dcc_client_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dcc_client_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dcc_client_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dcc_client_map_t
@@ -17707,6 +19054,22 @@ index 0000000..98c2a6b
+ /var/lib/dcc(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dcc_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dcc_client_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -17726,35 +19089,50 @@ index 0000000..98c2a6b
+
+.SH "SEE ALSO"
+selinux(8), dcc_client(8), semanage(8), restorecon(8), chcon(1)
++, dcc_dbclean_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/dcc_dbclean_selinux.8 b/man/man8/dcc_dbclean_selinux.8
new file mode 100644
-index 0000000..cbbceb2
+index 0000000..7003318
--- /dev/null
+++ b/man/man8/dcc_dbclean_selinux.8
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,137 @@
+.TH "dcc_dbclean_selinux" "8" "dcc_dbclean" "dwalsh at redhat.com" "dcc_dbclean SELinux Policy documentation"
+.SH "NAME"
+dcc_dbclean_selinux \- Security Enhanced Linux Policy for the dcc_dbclean processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dcc_dbclean processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dcc_dbclean processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dcc_dbclean processes execute with the dcc_dbclean_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dcc_dbclean_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep dcc_dbclean_t
++
++
++.SH "ENTRYPOINTS"
++
++The dcc_dbclean_t SELinux type can be entered via the "dcc_dbclean_exec_t" file type. The default entrypoint paths for the dcc_dbclean_t domain are the following:"
+
++/usr/libexec/dcc/dbclean
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dcc_dbclean_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dcc_dbclean policy is very flexible allowing users to setup their dcc_dbclean processes in as secure a method as possible.
++.PP
++The following process types are defined for dcc_dbclean:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dcc_dbclean_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -17790,27 +19168,9 @@ index 0000000..cbbceb2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dcc_dbclean policy is very flexible allowing users to setup their dcc_dbclean processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dcc_dbclean:
-+
-+.EX
-+.B dcc_dbclean_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dcc_dbclean_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dcc_dbclean_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dcc_client_map_t
@@ -17838,6 +19198,22 @@ index 0000000..cbbceb2
+ /var/lib/dcc(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dcc_dbclean_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dcc_dbclean_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -17857,35 +19233,50 @@ index 0000000..cbbceb2
+
+.SH "SEE ALSO"
+selinux(8), dcc_dbclean(8), semanage(8), restorecon(8), chcon(1)
++, dcc_client_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/dccd_selinux.8 b/man/man8/dccd_selinux.8
new file mode 100644
-index 0000000..8d23c5b
+index 0000000..5581ca6
--- /dev/null
+++ b/man/man8/dccd_selinux.8
-@@ -0,0 +1,177 @@
+@@ -0,0 +1,188 @@
+.TH "dccd_selinux" "8" "dccd" "dwalsh at redhat.com" "dccd SELinux Policy documentation"
+.SH "NAME"
+dccd_selinux \- Security Enhanced Linux Policy for the dccd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dccd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dccd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dccd processes execute with the dccd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep dccd_t
++
++
++.SH "ENTRYPOINTS"
++
++The dccd_t SELinux type can be entered via the "dccd_exec_t" file type. The default entrypoint paths for the dccd_t domain are the following:"
+
++/usr/libexec/dcc/dccd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible.
++.PP
++The following process types are defined for dccd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dccm_t, dcc_client_t, dcc_dbclean_t, dccifd_t, dccd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -17965,27 +19356,9 @@ index 0000000..8d23c5b
+.EE
+udp 5679
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dccd:
-+
-+.EX
-+.B dccm_t, dcc_client_t, dcc_dbclean_t, dccifd_t, dccd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dccd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dccd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dcc_client_map_t
@@ -18017,6 +19390,22 @@ index 0000000..8d23c5b
+.B dccd_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -18043,33 +19432,46 @@ index 0000000..8d23c5b
\ No newline at end of file
diff --git a/man/man8/dccifd_selinux.8 b/man/man8/dccifd_selinux.8
new file mode 100644
-index 0000000..03586d8
+index 0000000..a504eed
--- /dev/null
+++ b/man/man8/dccifd_selinux.8
-@@ -0,0 +1,145 @@
+@@ -0,0 +1,156 @@
+.TH "dccifd_selinux" "8" "dccifd" "dwalsh at redhat.com" "dccifd SELinux Policy documentation"
+.SH "NAME"
+dccifd_selinux \- Security Enhanced Linux Policy for the dccifd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dccifd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dccifd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dccifd processes execute with the dccifd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep dccifd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The dccifd_t SELinux type can be entered via the "dccifd_exec_t" file type. The default entrypoint paths for the dccifd_t domain are the following:"
++
++/usr/libexec/dcc/dccifd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dccifd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dccifd policy is very flexible allowing users to setup their dccifd processes in as secure a method as possible.
++.PP
++The following process types are defined for dccifd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dccifd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -18117,27 +19519,9 @@ index 0000000..03586d8
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dccifd policy is very flexible allowing users to setup their dccifd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dccifd:
-+
-+.EX
-+.B dccifd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dccifd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dccifd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dcc_client_map_t
@@ -18173,6 +19557,22 @@ index 0000000..03586d8
+ /var/run/dcc/dccifd
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dccifd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -18194,33 +19594,46 @@ index 0000000..03586d8
+selinux(8), dccifd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dccm_selinux.8 b/man/man8/dccm_selinux.8
new file mode 100644
-index 0000000..21fd91f
+index 0000000..00c7ca1
--- /dev/null
+++ b/man/man8/dccm_selinux.8
-@@ -0,0 +1,165 @@
+@@ -0,0 +1,176 @@
+.TH "dccm_selinux" "8" "dccm" "dwalsh at redhat.com" "dccm SELinux Policy documentation"
+.SH "NAME"
+dccm_selinux \- Security Enhanced Linux Policy for the dccm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dccm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dccm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dccm processes execute with the dccm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep dccm_t
+
++
++.SH "ENTRYPOINTS"
++
++The dccm_t SELinux type can be entered via the "dccm_exec_t" file type. The default entrypoint paths for the dccm_t domain are the following:"
++
++/usr/libexec/dcc/dccm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dccm_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible.
++.PP
++The following process types are defined for dccm:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dccm_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -18289,27 +19702,9 @@ index 0000000..21fd91f
+.EE
+udp 5679
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dccm:
-+
-+.EX
-+.B dccm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dccm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dccm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dcc_client_map_t
@@ -18341,6 +19736,22 @@ index 0000000..21fd91f
+.B dccm_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dccm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -18365,19 +19776,46 @@ index 0000000..21fd91f
+selinux(8), dccm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dcerpcd_selinux.8 b/man/man8/dcerpcd_selinux.8
new file mode 100644
-index 0000000..c9ee53a
+index 0000000..e300fa2
--- /dev/null
+++ b/man/man8/dcerpcd_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "dcerpcd_selinux" "8" "dcerpcd" "dwalsh at redhat.com" "dcerpcd SELinux Policy documentation"
+.SH "NAME"
+dcerpcd_selinux \- Security Enhanced Linux Policy for the dcerpcd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dcerpcd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dcerpcd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dcerpcd processes execute with the dcerpcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dcerpcd_t
++
++
++.SH "ENTRYPOINTS"
++
++The dcerpcd_t SELinux type can be entered via the "dcerpcd_exec_t" file type. The default entrypoint paths for the dcerpcd_t domain are the following:"
++
++/usr/sbin/dcerpcd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dcerpcd policy is very flexible allowing users to setup their dcerpcd processes in as secure a method as possible.
++.PP
++The following process types are defined for dcerpcd:
++
++.EX
++.B dcerpcd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -18429,27 +19867,9 @@ index 0000000..c9ee53a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dcerpcd policy is very flexible allowing users to setup their dcerpcd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dcerpcd:
-+
-+.EX
-+.B dcerpcd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dcerpcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dcerpcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dcerpcd_var_lib_t
@@ -18461,6 +19881,8 @@ index 0000000..c9ee53a
+.B dcerpcd_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -18482,19 +19904,46 @@ index 0000000..c9ee53a
+selinux(8), dcerpcd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ddclient_selinux.8 b/man/man8/ddclient_selinux.8
new file mode 100644
-index 0000000..325522c
+index 0000000..1c9cf3f
--- /dev/null
+++ b/man/man8/ddclient_selinux.8
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,186 @@
+.TH "ddclient_selinux" "8" "ddclient" "dwalsh at redhat.com" "ddclient SELinux Policy documentation"
+.SH "NAME"
+ddclient_selinux \- Security Enhanced Linux Policy for the ddclient processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ddclient processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ddclient processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ddclient processes execute with the ddclient_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ddclient_t
++
++
++.SH "ENTRYPOINTS"
++
++The ddclient_t SELinux type can be entered via the "ddclient_exec_t" file type. The default entrypoint paths for the ddclient_t domain are the following:"
++
++/usr/sbin/ddclient, /usr/sbin/ddtcd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ddclient policy is very flexible allowing users to setup their ddclient processes in as secure a method as possible.
++.PP
++The following process types are defined for ddclient:
++
++.EX
++.B ddclient_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -18590,27 +20039,9 @@ index 0000000..325522c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ddclient policy is very flexible allowing users to setup their ddclient processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ddclient:
-+
-+.EX
-+.B ddclient_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ddclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ddclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ddclient_log_t
@@ -18642,6 +20073,8 @@ index 0000000..325522c
+ /var/cache/ddclient(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -18663,33 +20096,46 @@ index 0000000..325522c
+selinux(8), ddclient(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/deltacloudd_selinux.8 b/man/man8/deltacloudd_selinux.8
new file mode 100644
-index 0000000..65625b3
+index 0000000..bcd6f38
--- /dev/null
+++ b/man/man8/deltacloudd_selinux.8
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,140 @@
+.TH "deltacloudd_selinux" "8" "deltacloudd" "dwalsh at redhat.com" "deltacloudd SELinux Policy documentation"
+.SH "NAME"
+deltacloudd_selinux \- Security Enhanced Linux Policy for the deltacloudd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the deltacloudd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the deltacloudd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The deltacloudd processes execute with the deltacloudd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the deltacloudd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep deltacloudd_t
++
++
++.SH "ENTRYPOINTS"
+
++The deltacloudd_t SELinux type can be entered via the "deltacloudd_exec_t" file type. The default entrypoint paths for the deltacloudd_t domain are the following:"
++
++/usr/bin/deltacloudd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the deltacloudd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux deltacloudd policy is very flexible allowing users to setup their deltacloudd processes in as secure a method as possible.
++.PP
++The following process types are defined for deltacloudd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B deltacloudd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -18741,27 +20187,9 @@ index 0000000..65625b3
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux deltacloudd policy is very flexible allowing users to setup their deltacloudd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for deltacloudd:
-+
-+.EX
-+.B deltacloudd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type deltacloudd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type deltacloudd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B deltacloudd_log_t
@@ -18777,6 +20205,22 @@ index 0000000..65625b3
+.B deltacloudd_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the deltacloudd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the deltacloudd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -18798,33 +20242,46 @@ index 0000000..65625b3
+selinux(8), deltacloudd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/denyhosts_selinux.8 b/man/man8/denyhosts_selinux.8
new file mode 100644
-index 0000000..1fbd4a1
+index 0000000..da569e2
--- /dev/null
+++ b/man/man8/denyhosts_selinux.8
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,172 @@
+.TH "denyhosts_selinux" "8" "denyhosts" "dwalsh at redhat.com" "denyhosts SELinux Policy documentation"
+.SH "NAME"
+denyhosts_selinux \- Security Enhanced Linux Policy for the denyhosts processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the denyhosts processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the denyhosts processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The denyhosts processes execute with the denyhosts_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the denyhosts_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep denyhosts_t
++
++
++.SH "ENTRYPOINTS"
++
++The denyhosts_t SELinux type can be entered via the "denyhosts_exec_t" file type. The default entrypoint paths for the denyhosts_t domain are the following:"
+
++/usr/bin/denyhosts\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the denyhosts_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux denyhosts policy is very flexible allowing users to setup their denyhosts processes in as secure a method as possible.
++.PP
++The following process types are defined for denyhosts:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B denyhosts_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -18884,27 +20341,9 @@ index 0000000..1fbd4a1
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux denyhosts policy is very flexible allowing users to setup their denyhosts processes in as secure a method as possible.
-+.PP
-+The following process types are defined for denyhosts:
-+
-+.EX
-+.B denyhosts_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type denyhosts_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type denyhosts_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B denyhosts_var_lib_t
@@ -18944,6 +20383,22 @@ index 0000000..1fbd4a1
+ /etc/ethers
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the denyhosts_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the denyhosts_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -18965,19 +20420,46 @@ index 0000000..1fbd4a1
+selinux(8), denyhosts(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/depmod_selinux.8 b/man/man8/depmod_selinux.8
new file mode 100644
-index 0000000..67c21ef
+index 0000000..b711c99
--- /dev/null
+++ b/man/man8/depmod_selinux.8
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,114 @@
+.TH "depmod_selinux" "8" "depmod" "dwalsh at redhat.com" "depmod SELinux Policy documentation"
+.SH "NAME"
+depmod_selinux \- Security Enhanced Linux Policy for the depmod processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the depmod processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the depmod processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The depmod processes execute with the depmod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep depmod_t
++
++
++.SH "ENTRYPOINTS"
++
++The depmod_t SELinux type can be entered via the "depmod_exec_t" file type. The default entrypoint paths for the depmod_t domain are the following:"
++
++/sbin/depmod.*, /usr/sbin/depmod.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux depmod policy is very flexible allowing users to setup their depmod processes in as secure a method as possible.
++.PP
++The following process types are defined for depmod:
++
++.EX
++.B depmod_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -19009,27 +20491,9 @@ index 0000000..67c21ef
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux depmod policy is very flexible allowing users to setup their depmod processes in as secure a method as possible.
-+.PP
-+The following process types are defined for depmod:
-+
-+.EX
-+.B depmod_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type depmod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type depmod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B modules_dep_t
@@ -19048,6 +20512,12 @@ index 0000000..67c21ef
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -19070,33 +20540,46 @@ index 0000000..67c21ef
+selinux(8), depmod(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/devicekit_disk_selinux.8 b/man/man8/devicekit_disk_selinux.8
new file mode 100644
-index 0000000..85ad4ca
+index 0000000..303afff
--- /dev/null
+++ b/man/man8/devicekit_disk_selinux.8
-@@ -0,0 +1,154 @@
+@@ -0,0 +1,165 @@
+.TH "devicekit_disk_selinux" "8" "devicekit_disk" "dwalsh at redhat.com" "devicekit_disk SELinux Policy documentation"
+.SH "NAME"
+devicekit_disk_selinux \- Security Enhanced Linux Policy for the devicekit_disk processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the devicekit_disk processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the devicekit_disk processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The devicekit_disk processes execute with the devicekit_disk_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_disk_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep devicekit_disk_t
++
++
++.SH "ENTRYPOINTS"
+
++The devicekit_disk_t SELinux type can be entered via the "devicekit_disk_exec_t" file type. The default entrypoint paths for the devicekit_disk_t domain are the following:"
++
++/usr/lib/udisks/udisks-daemon, /usr/lib/udev/udisks-part-id, /usr/libexec/devkit-disks-daemon, /lib/udisks2/udisksd, /usr/lib/udisks2/udisksd, /lib/udev/udisks-part-id, /usr/libexec/udisks-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the devicekit_disk_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux devicekit_disk policy is very flexible allowing users to setup their devicekit_disk processes in as secure a method as possible.
++.PP
++The following process types are defined for devicekit_disk:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B devicekit_disk_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -19128,27 +20611,9 @@ index 0000000..85ad4ca
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux devicekit_disk policy is very flexible allowing users to setup their devicekit_disk processes in as secure a method as possible.
-+.PP
-+The following process types are defined for devicekit_disk:
-+
-+.EX
-+.B devicekit_disk_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type devicekit_disk_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type devicekit_disk_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B device_t
@@ -19208,6 +20673,22 @@ index 0000000..85ad4ca
+ all virtual image files
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_disk_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the devicekit_disk_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -19227,37 +20708,50 @@ index 0000000..85ad4ca
+
+.SH "SEE ALSO"
+selinux(8), devicekit_disk(8), semanage(8), restorecon(8), chcon(1)
-+, devicekit_selinux(8)
++, devicekit_selinux(8), devicekit_selinux(8), devicekit_power_selinux(8)
\ No newline at end of file
diff --git a/man/man8/devicekit_power_selinux.8 b/man/man8/devicekit_power_selinux.8
new file mode 100644
-index 0000000..67dd44e
+index 0000000..f836d9f
--- /dev/null
+++ b/man/man8/devicekit_power_selinux.8
-@@ -0,0 +1,168 @@
+@@ -0,0 +1,195 @@
+.TH "devicekit_power_selinux" "8" "devicekit_power" "dwalsh at redhat.com" "devicekit_power SELinux Policy documentation"
+.SH "NAME"
+devicekit_power_selinux \- Security Enhanced Linux Policy for the devicekit_power processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the devicekit_power processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the devicekit_power processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The devicekit_power processes execute with the devicekit_power_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep devicekit_power_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The devicekit_power_t SELinux type can be entered via the "devicekit_power_exec_t" file type. The default entrypoint paths for the devicekit_power_t domain are the following:"
++
++/usr/libexec/upowerd, /usr/libexec/devkit-power-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the devicekit_power_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux devicekit_power policy is very flexible allowing users to setup their devicekit_power processes in as secure a method as possible.
++.PP
++The following process types are defined for devicekit_power:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B devicekit_power_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -19289,27 +20783,9 @@ index 0000000..67dd44e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux devicekit_power policy is very flexible allowing users to setup their devicekit_power processes in as secure a method as possible.
-+.PP
-+The following process types are defined for devicekit_power:
-+
-+.EX
-+.B devicekit_power_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type devicekit_power_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type devicekit_power_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B config_home_t
@@ -19332,6 +20808,22 @@ index 0000000..67dd44e
+.br
+ /home/[^/]*/\.Xdefaults
+.br
++ /home/dwalsh/\.kde(/.*)?
++.br
++ /home/dwalsh/\.xine(/.*)?
++.br
++ /home/dwalsh/\.config(/.*)?
++.br
++ /home/dwalsh/\.Xdefaults
++.br
++ /var/lib/xguest/home/xguest/\.kde(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.xine(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.Xdefaults
++.br
+
+.br
+.B devicekit_tmp_t
@@ -19383,6 +20875,22 @@ index 0000000..67dd44e
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the devicekit_power_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -19402,37 +20910,50 @@ index 0000000..67dd44e
+
+.SH "SEE ALSO"
+selinux(8), devicekit_power(8), semanage(8), restorecon(8), chcon(1)
-+, devicekit_selinux(8)
++, devicekit_selinux(8), devicekit_selinux(8), devicekit_disk_selinux(8)
\ No newline at end of file
diff --git a/man/man8/devicekit_selinux.8 b/man/man8/devicekit_selinux.8
new file mode 100644
-index 0000000..06f38c6
+index 0000000..872ca17
--- /dev/null
+++ b/man/man8/devicekit_selinux.8
-@@ -0,0 +1,174 @@
+@@ -0,0 +1,185 @@
+.TH "devicekit_selinux" "8" "devicekit" "dwalsh at redhat.com" "devicekit SELinux Policy documentation"
+.SH "NAME"
+devicekit_selinux \- Security Enhanced Linux Policy for the devicekit processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the devicekit processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the devicekit processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The devicekit processes execute with the devicekit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_disk_t, devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep devicekit_t
++
++
++.SH "ENTRYPOINTS"
+
++The devicekit_t SELinux type can be entered via the "devicekit_exec_t" file type. The default entrypoint paths for the devicekit_t domain are the following:"
++
++/usr/libexec/devkit-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the devicekit_disk_t, devicekit_power_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux devicekit policy is very flexible allowing users to setup their devicekit processes in as secure a method as possible.
++.PP
++The following process types are defined for devicekit:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B devicekit_power_t, devicekit_disk_t, devicekit_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -19528,27 +21049,9 @@ index 0000000..06f38c6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux devicekit policy is very flexible allowing users to setup their devicekit processes in as secure a method as possible.
-+.PP
-+The following process types are defined for devicekit:
-+
-+.EX
-+.B devicekit_power_t, devicekit_disk_t, devicekit_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type devicekit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type devicekit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B devicekit_var_run_t
@@ -19564,6 +21067,22 @@ index 0000000..06f38c6
+ /var/run/DeviceKit-disks(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_disk_t, devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the devicekit_disk_t, devicekit_power_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -19587,43 +21106,56 @@ index 0000000..06f38c6
\ No newline at end of file
diff --git a/man/man8/dhcpc_selinux.8 b/man/man8/dhcpc_selinux.8
new file mode 100644
-index 0000000..e06b4c5
+index 0000000..eb94d27
--- /dev/null
+++ b/man/man8/dhcpc_selinux.8
-@@ -0,0 +1,248 @@
+@@ -0,0 +1,259 @@
+.TH "dhcpc_selinux" "8" "dhcpc" "dwalsh at redhat.com" "dhcpc SELinux Policy documentation"
+.SH "NAME"
+dhcpc_selinux \- Security Enhanced Linux Policy for the dhcpc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dhcpc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dhcpc processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. dhcpc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpc with the tightest access possible.
++The dhcpc processes execute with the dhcpc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
++.B ps -eZ | grep dhcpc_t
+
-+.EX
-+.B setsebool -P dhcpc_exec_iptables 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The dhcpc_t SELinux type can be entered via the "dhcpc_exec_t" file type. The default entrypoint paths for the dhcpc_t domain are the following:"
+
++/usr/sbin/dhcpcd, /sbin/dhcpcd, /usr/sbin/pump, /sbin/dhclient.*, /usr/sbin/dhclient.*, /sbin/pump, /usr/sbin/dhcdbd, /sbin/dhcdbd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible.
++.PP
++The following process types are defined for dhcpc:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B dhcpc_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. dhcpc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpc with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the dhcpc_t, you must turn on the kerberos_enabled boolean.
++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P dhcpc_exec_iptables 1
+.EE
+
+.SH FILE CONTEXTS
@@ -19721,27 +21253,9 @@ index 0000000..e06b4c5
+.EE
+udp 68,546
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dhcpc:
-+
-+.EX
-+.B dhcpc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dhcpc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dhcpc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dhcpc_state_t
@@ -19813,6 +21327,22 @@ index 0000000..e06b4c5
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dhcpc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -19842,50 +21372,63 @@ index 0000000..e06b4c5
\ No newline at end of file
diff --git a/man/man8/dhcpd_selinux.8 b/man/man8/dhcpd_selinux.8
new file mode 100644
-index 0000000..8630347
+index 0000000..0dd932c
--- /dev/null
+++ b/man/man8/dhcpd_selinux.8
-@@ -0,0 +1,216 @@
+@@ -0,0 +1,227 @@
+.TH "dhcpd_selinux" "8" "dhcpd" "dwalsh at redhat.com" "dhcpd SELinux Policy documentation"
+.SH "NAME"
+dhcpd_selinux \- Security Enhanced Linux Policy for the dhcpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dhcpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dhcpd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. dhcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpd with the tightest access possible.
++The dhcpd processes execute with the dhcpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
++.B ps -eZ | grep dhcpd_t
+
-+.EX
-+.B setsebool -P dhcpc_exec_iptables 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The dhcpd_t SELinux type can be entered via the "dhcpd_exec_t" file type. The default entrypoint paths for the dhcpd_t domain are the following:"
++
++/usr/sbin/dhcpd.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow DHCP daemon to use LDAP backends, you must turn on the dhcpd_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible.
++.PP
++The following process types are defined for dhcpd:
+
+.EX
-+.B setsebool -P dhcpd_use_ldap 1
++.B dhcpc_t, dhcpd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. dhcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpd with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpd_t, dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P dhcpc_exec_iptables 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the dhcpd_t, dhcpc_t, you must turn on the kerberos_enabled boolean.
++If you want to allow DHCP daemon to use LDAP backends, you must turn on the dhcpd_use_ldap boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P dhcpd_use_ldap 1
+.EE
+
+.SH FILE CONTEXTS
@@ -19996,27 +21539,9 @@ index 0000000..8630347
+.EE
+udp 67,547,548,647,847
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dhcpd:
-+
-+.EX
-+.B dhcpc_t, dhcpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dhcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dhcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dhcpd_state_t
@@ -20036,6 +21561,22 @@ index 0000000..8630347
+ /var/run/dhcpd(6)?\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpd_t, dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dhcpd_t, dhcpc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -20065,33 +21606,46 @@ index 0000000..8630347
\ No newline at end of file
diff --git a/man/man8/dictd_selinux.8 b/man/man8/dictd_selinux.8
new file mode 100644
-index 0000000..2de76e5
+index 0000000..6f506fc
--- /dev/null
+++ b/man/man8/dictd_selinux.8
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,166 @@
+.TH "dictd_selinux" "8" "dictd" "dwalsh at redhat.com" "dictd SELinux Policy documentation"
+.SH "NAME"
+dictd_selinux \- Security Enhanced Linux Policy for the dictd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dictd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dictd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dictd processes execute with the dictd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dictd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep dictd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The dictd_t SELinux type can be entered via the "dictd_exec_t" file type. The default entrypoint paths for the dictd_t domain are the following:"
++
++/usr/sbin/dictd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dictd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible.
++.PP
++The following process types are defined for dictd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dictd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -20174,27 +21728,9 @@ index 0000000..2de76e5
+Default Defined Ports:
+tcp 2628
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dictd:
-+
-+.EX
-+.B dictd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dictd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dictd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dictd_var_run_t
@@ -20202,6 +21738,22 @@ index 0000000..2de76e5
+ /var/run/dictd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dictd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dictd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -20226,33 +21778,46 @@ index 0000000..2de76e5
+selinux(8), dictd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dirsrv_selinux.8 b/man/man8/dirsrv_selinux.8
new file mode 100644
-index 0000000..9cc9487
+index 0000000..ff87d92
--- /dev/null
+++ b/man/man8/dirsrv_selinux.8
-@@ -0,0 +1,330 @@
+@@ -0,0 +1,341 @@
+.TH "dirsrv_selinux" "8" "dirsrv" "dwalsh at redhat.com" "dirsrv SELinux Policy documentation"
+.SH "NAME"
+dirsrv_selinux \- Security Enhanced Linux Policy for the dirsrv processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dirsrv processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dirsrv processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dirsrv processes execute with the dirsrv_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dirsrv_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep dirsrv_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The dirsrv_t SELinux type can be entered via the "dirsrv_exec_t" file type. The default entrypoint paths for the dirsrv_t domain are the following:"
++
++/usr/sbin/ns-slapd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dirsrv_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dirsrv policy is very flexible allowing users to setup their dirsrv processes in as secure a method as possible.
++.PP
++The following process types are defined for dirsrv:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dirsrvadmin_unconfined_script_t, dirsrv_snmp_t, dirsrvadmin_t, dirsrv_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -20420,27 +21985,9 @@ index 0000000..9cc9487
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dirsrv policy is very flexible allowing users to setup their dirsrv processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dirsrv:
-+
-+.EX
-+.B dirsrvadmin_unconfined_script_t, dirsrv_snmp_t, dirsrvadmin_t, dirsrv_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dirsrv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dirsrv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dirsrv_config_t
@@ -20540,6 +22087,22 @@ index 0000000..9cc9487
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dirsrv_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dirsrv_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -20563,19 +22126,46 @@ index 0000000..9cc9487
\ No newline at end of file
diff --git a/man/man8/dirsrv_snmp_selinux.8 b/man/man8/dirsrv_snmp_selinux.8
new file mode 100644
-index 0000000..ba29534
+index 0000000..d5a7482
--- /dev/null
+++ b/man/man8/dirsrv_snmp_selinux.8
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,135 @@
+.TH "dirsrv_snmp_selinux" "8" "dirsrv_snmp" "dwalsh at redhat.com" "dirsrv_snmp SELinux Policy documentation"
+.SH "NAME"
+dirsrv_snmp_selinux \- Security Enhanced Linux Policy for the dirsrv_snmp processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dirsrv_snmp processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dirsrv_snmp processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dirsrv_snmp processes execute with the dirsrv_snmp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dirsrv_snmp_t
++
++
++.SH "ENTRYPOINTS"
++
++The dirsrv_snmp_t SELinux type can be entered via the "dirsrv_snmp_exec_t" file type. The default entrypoint paths for the dirsrv_snmp_t domain are the following:"
++
++/usr/sbin/ldap-agent-bin
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dirsrv_snmp policy is very flexible allowing users to setup their dirsrv_snmp processes in as secure a method as possible.
++.PP
++The following process types are defined for dirsrv_snmp:
++
++.EX
++.B dirsrv_snmp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -20619,27 +22209,9 @@ index 0000000..ba29534
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dirsrv_snmp policy is very flexible allowing users to setup their dirsrv_snmp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dirsrv_snmp:
-+
-+.EX
-+.B dirsrv_snmp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dirsrv_snmp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dirsrv_snmp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dirsrv_snmp_var_log_t
@@ -20671,6 +22243,8 @@ index 0000000..ba29534
+ /usr/share/snmp/mibs/\.index
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -20690,23 +22264,50 @@ index 0000000..ba29534
+
+.SH "SEE ALSO"
+selinux(8), dirsrv_snmp(8), semanage(8), restorecon(8), chcon(1)
-+, dirsrv_selinux(8)
++, dirsrv_selinux(8), dirsrv_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_unconfined_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/dirsrvadmin_selinux.8 b/man/man8/dirsrvadmin_selinux.8
new file mode 100644
-index 0000000..7e02f77
+index 0000000..c5e75de
--- /dev/null
+++ b/man/man8/dirsrvadmin_selinux.8
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,137 @@
+.TH "dirsrvadmin_selinux" "8" "dirsrvadmin" "dwalsh at redhat.com" "dirsrvadmin SELinux Policy documentation"
+.SH "NAME"
+dirsrvadmin_selinux \- Security Enhanced Linux Policy for the dirsrvadmin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dirsrvadmin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dirsrvadmin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dirsrvadmin processes execute with the dirsrvadmin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dirsrvadmin_t
++
++
++.SH "ENTRYPOINTS"
++
++The dirsrvadmin_t SELinux type can be entered via the "shell_exec_t,dirsrvadmin_exec_t" file types. The default entrypoint paths for the dirsrvadmin_t domain are the following:"
++
++/usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/sbin/start-ds-admin, /usr/sbin/stop-ds-admin, /usr/sbin/restart-ds-admin
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible.
++.PP
++The following process types are defined for dirsrvadmin:
++
++.EX
++.B dirsrvadmin_unconfined_script_t, dirsrvadmin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -20778,32 +22379,16 @@ index 0000000..7e02f77
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dirsrvadmin:
-+
-+.EX
-+.B dirsrvadmin_unconfined_script_t, dirsrvadmin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dirsrvadmin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dirsrvadmin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dirsrvadmin_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -20827,19 +22412,46 @@ index 0000000..7e02f77
\ No newline at end of file
diff --git a/man/man8/dirsrvadmin_unconfined_script_selinux.8 b/man/man8/dirsrvadmin_unconfined_script_selinux.8
new file mode 100644
-index 0000000..d40a836
+index 0000000..86e465e
--- /dev/null
+++ b/man/man8/dirsrvadmin_unconfined_script_selinux.8
-@@ -0,0 +1,118 @@
+@@ -0,0 +1,129 @@
+.TH "dirsrvadmin_unconfined_script_selinux" "8" "dirsrvadmin_unconfined_script" "dwalsh at redhat.com" "dirsrvadmin_unconfined_script SELinux Policy documentation"
+.SH "NAME"
+dirsrvadmin_unconfined_script_selinux \- Security Enhanced Linux Policy for the dirsrvadmin_unconfined_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dirsrvadmin_unconfined_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dirsrvadmin_unconfined_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dirsrvadmin_unconfined_script processes execute with the dirsrvadmin_unconfined_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dirsrvadmin_unconfined_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The dirsrvadmin_unconfined_script_t SELinux type can be entered via the "shell_exec_t,dirsrvadmin_unconfined_script_exec_t" file types. The default entrypoint paths for the dirsrvadmin_unconfined_script_t domain are the following:"
++
++/usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/lib/dirsrv/cgi-bin/ds_remove, /usr/lib/dirsrv/cgi-bin/ds_create
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dirsrvadmin_unconfined_script policy is very flexible allowing users to setup their dirsrvadmin_unconfined_script processes in as secure a method as possible.
++.PP
++The following process types are defined for dirsrvadmin_unconfined_script:
++
++.EX
++.B dirsrvadmin_unconfined_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -20871,27 +22483,9 @@ index 0000000..d40a836
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dirsrvadmin_unconfined_script policy is very flexible allowing users to setup their dirsrvadmin_unconfined_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dirsrvadmin_unconfined_script:
-+
-+.EX
-+.B dirsrvadmin_unconfined_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dirsrvadmin_unconfined_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dirsrvadmin_unconfined_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dirsrv_config_t
@@ -20929,6 +22523,8 @@ index 0000000..d40a836
+.B dirsrvadmin_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -20948,23 +22544,50 @@ index 0000000..d40a836
+
+.SH "SEE ALSO"
+selinux(8), dirsrvadmin_unconfined_script(8), semanage(8), restorecon(8), chcon(1)
-+, dirsrv_selinux(8), dirsrvadmin_selinux(8)
++, dirsrv_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_selinux(8)
\ No newline at end of file
diff --git a/man/man8/disk_munin_plugin_selinux.8 b/man/man8/disk_munin_plugin_selinux.8
new file mode 100644
-index 0000000..51d11b3
+index 0000000..906629c
--- /dev/null
+++ b/man/man8/disk_munin_plugin_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,116 @@
+.TH "disk_munin_plugin_selinux" "8" "disk_munin_plugin" "dwalsh at redhat.com" "disk_munin_plugin SELinux Policy documentation"
+.SH "NAME"
+disk_munin_plugin_selinux \- Security Enhanced Linux Policy for the disk_munin_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the disk_munin_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the disk_munin_plugin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The disk_munin_plugin processes execute with the disk_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep disk_munin_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The disk_munin_plugin_t SELinux type can be entered via the "disk_munin_plugin_exec_t" file type. The default entrypoint paths for the disk_munin_plugin_t domain are the following:"
++
++/usr/share/munin/plugins/diskstat.*, /usr/share/munin/plugins/hddtemp.*, /usr/share/munin/plugins/smart_.*, /usr/share/munin/plugins/df.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux disk_munin_plugin policy is very flexible allowing users to setup their disk_munin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for disk_munin_plugin:
++
++.EX
++.B disk_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -21004,27 +22627,9 @@ index 0000000..51d11b3
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux disk_munin_plugin policy is very flexible allowing users to setup their disk_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for disk_munin_plugin:
-+
-+.EX
-+.B disk_munin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type disk_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type disk_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B disk_munin_plugin_tmp_t
@@ -21042,6 +22647,8 @@ index 0000000..51d11b3
+ /var/lib/munin(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -21063,33 +22670,46 @@ index 0000000..51d11b3
+selinux(8), disk_munin_plugin(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dkim_milter_selinux.8 b/man/man8/dkim_milter_selinux.8
new file mode 100644
-index 0000000..e58ec1a
+index 0000000..2c9adcc
--- /dev/null
+++ b/man/man8/dkim_milter_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,130 @@
+.TH "dkim_milter_selinux" "8" "dkim_milter" "dwalsh at redhat.com" "dkim_milter SELinux Policy documentation"
+.SH "NAME"
+dkim_milter_selinux \- Security Enhanced Linux Policy for the dkim_milter processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dkim_milter processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dkim_milter processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dkim_milter processes execute with the dkim_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dkim_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep dkim_milter_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The dkim_milter_t SELinux type can be entered via the "dkim_milter_exec_t" file type. The default entrypoint paths for the dkim_milter_t domain are the following:"
++
++/usr/sbin/dkim-filter
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dkim_milter_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dkim_milter policy is very flexible allowing users to setup their dkim_milter processes in as secure a method as possible.
++.PP
++The following process types are defined for dkim_milter:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dkim_milter_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -21137,27 +22757,9 @@ index 0000000..e58ec1a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dkim_milter policy is very flexible allowing users to setup their dkim_milter processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dkim_milter:
-+
-+.EX
-+.B dkim_milter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dkim_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dkim_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dkim_milter_data_t
@@ -21167,6 +22769,22 @@ index 0000000..e58ec1a
+ /var/run/dkim-milter(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dkim_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dkim_milter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -21188,33 +22806,46 @@ index 0000000..e58ec1a
+selinux(8), dkim_milter(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dlm_controld_selinux.8 b/man/man8/dlm_controld_selinux.8
new file mode 100644
-index 0000000..ebed624
+index 0000000..850ab58
--- /dev/null
+++ b/man/man8/dlm_controld_selinux.8
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,166 @@
+.TH "dlm_controld_selinux" "8" "dlm_controld" "dwalsh at redhat.com" "dlm_controld SELinux Policy documentation"
+.SH "NAME"
+dlm_controld_selinux \- Security Enhanced Linux Policy for the dlm_controld processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dlm_controld processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dlm_controld processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dlm_controld processes execute with the dlm_controld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dlm_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep dlm_controld_t
++
++
++.SH "ENTRYPOINTS"
+
++The dlm_controld_t SELinux type can be entered via the "dlm_controld_exec_t" file type. The default entrypoint paths for the dlm_controld_t domain are the following:"
++
++/usr/sbin/dlm_controld
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dlm_controld_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dlm_controld policy is very flexible allowing users to setup their dlm_controld processes in as secure a method as possible.
++.PP
++The following process types are defined for dlm_controld:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dlm_controld_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -21266,27 +22897,9 @@ index 0000000..ebed624
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dlm_controld policy is very flexible allowing users to setup their dlm_controld processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dlm_controld:
-+
-+.EX
-+.B dlm_controld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dlm_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dlm_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cluster_var_lib_t
@@ -21328,6 +22941,22 @@ index 0000000..ebed624
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dlm_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dlm_controld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -21349,30 +22978,46 @@ index 0000000..ebed624
+selinux(8), dlm_controld(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dmesg_selinux.8 b/man/man8/dmesg_selinux.8
new file mode 100644
-index 0000000..3cf8142
+index 0000000..e0d8833
--- /dev/null
+++ b/man/man8/dmesg_selinux.8
-@@ -0,0 +1,158 @@
+@@ -0,0 +1,154 @@
+.TH "dmesg_selinux" "8" "dmesg" "dwalsh at redhat.com" "dmesg SELinux Policy documentation"
+.SH "NAME"
+dmesg_selinux \- Security Enhanced Linux Policy for the dmesg processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dmesg processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dmesg processes via flexible mandatory access control.
++
++The dmesg processes execute with the dmesg_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dmesg_t
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. dmesg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dmesg with the tightest access possible.
+
++.SH "ENTRYPOINTS"
+
++The dmesg_t SELinux type can be entered via the "dmesg_exec_t" file type. The default entrypoint paths for the dmesg_t domain are the following:"
++
++/usr/bin/dmesg, /bin/dmesg
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to read system messages, you must turn on the user_dmesg boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dmesg policy is very flexible allowing users to setup their dmesg processes in as secure a method as possible.
++.PP
++The following process types are defined for dmesg:
+
+.EX
-+.B setsebool -P user_dmesg 1
++.B dmesg_t
+.EE
-+
-+.SH NSSWITCH DOMAIN
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -21404,27 +23049,9 @@ index 0000000..3cf8142
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dmesg policy is very flexible allowing users to setup their dmesg processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dmesg:
-+
-+.EX
-+.B dmesg_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dmesg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dmesg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B abrt_var_run_t
@@ -21488,6 +23115,8 @@ index 0000000..3cf8142
+ /var/spool/plymouth/boot\.log
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -21498,9 +23127,6 @@ index 0000000..3cf8142
+.B semanage module
+can also be used to enable/disable/install/remove policy modules.
+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
+.PP
+.B system-config-selinux
+is a GUI tool available to customize SELinux policy settings.
@@ -21510,23 +23136,48 @@ index 0000000..3cf8142
+
+.SH "SEE ALSO"
+selinux(8), dmesg(8), semanage(8), restorecon(8), chcon(1)
-+, setsebool(8)
-\ No newline at end of file
diff --git a/man/man8/dmidecode_selinux.8 b/man/man8/dmidecode_selinux.8
new file mode 100644
-index 0000000..997162d
+index 0000000..5909421
--- /dev/null
+++ b/man/man8/dmidecode_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,92 @@
+.TH "dmidecode_selinux" "8" "dmidecode" "dwalsh at redhat.com" "dmidecode SELinux Policy documentation"
+.SH "NAME"
+dmidecode_selinux \- Security Enhanced Linux Policy for the dmidecode processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dmidecode processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dmidecode processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dmidecode processes execute with the dmidecode_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dmidecode_t
++
++
++.SH "ENTRYPOINTS"
++
++The dmidecode_t SELinux type can be entered via the "dmidecode_exec_t" file type. The default entrypoint paths for the dmidecode_t domain are the following:"
++
++/usr/sbin/dmidecode, /usr/sbin/vpddecode, /usr/sbin/ownership
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dmidecode policy is very flexible allowing users to setup their dmidecode processes in as secure a method as possible.
++.PP
++The following process types are defined for dmidecode:
++
++.EX
++.B dmidecode_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -21558,27 +23209,11 @@ index 0000000..997162d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dmidecode policy is very flexible allowing users to setup their dmidecode processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dmidecode:
-+
-+.EX
-+.B dmidecode_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dmidecode_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dmidecode_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -21601,33 +23236,46 @@ index 0000000..997162d
+selinux(8), dmidecode(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dnsmasq_selinux.8 b/man/man8/dnsmasq_selinux.8
new file mode 100644
-index 0000000..7936a77
+index 0000000..f2ad0c0
--- /dev/null
+++ b/man/man8/dnsmasq_selinux.8
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,206 @@
+.TH "dnsmasq_selinux" "8" "dnsmasq" "dwalsh at redhat.com" "dnsmasq SELinux Policy documentation"
+.SH "NAME"
+dnsmasq_selinux \- Security Enhanced Linux Policy for the dnsmasq processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dnsmasq processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dnsmasq processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dnsmasq processes execute with the dnsmasq_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dnsmasq_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep dnsmasq_t
++
++
++.SH "ENTRYPOINTS"
+
++The dnsmasq_t SELinux type can be entered via the "dnsmasq_exec_t" file type. The default entrypoint paths for the dnsmasq_t domain are the following:"
++
++/usr/sbin/dnsmasq
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dnsmasq_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dnsmasq policy is very flexible allowing users to setup their dnsmasq processes in as secure a method as possible.
++.PP
++The following process types are defined for dnsmasq:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dnsmasq_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -21711,27 +23359,9 @@ index 0000000..7936a77
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dnsmasq policy is very flexible allowing users to setup their dnsmasq processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dnsmasq:
-+
-+.EX
-+.B dnsmasq_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dnsmasq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dnsmasq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B crond_var_run_t
@@ -21781,6 +23411,22 @@ index 0000000..7936a77
+ /var/lib/libvirt(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dnsmasq_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dnsmasq_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -21802,19 +23448,46 @@ index 0000000..7936a77
+selinux(8), dnsmasq(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dnssec_trigger_selinux.8 b/man/man8/dnssec_trigger_selinux.8
new file mode 100644
-index 0000000..5b194fb
+index 0000000..9f056bb
--- /dev/null
+++ b/man/man8/dnssec_trigger_selinux.8
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,128 @@
+.TH "dnssec_trigger_selinux" "8" "dnssec_trigger" "dwalsh at redhat.com" "dnssec_trigger SELinux Policy documentation"
+.SH "NAME"
+dnssec_trigger_selinux \- Security Enhanced Linux Policy for the dnssec_trigger processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dnssec_trigger processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dnssec_trigger processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dnssec_trigger processes execute with the dnssec_trigger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep dnssec_trigger_t
++
++
++.SH "ENTRYPOINTS"
++
++The dnssec_trigger_t SELinux type can be entered via the "dnssec_trigger_exec_t" file type. The default entrypoint paths for the dnssec_trigger_t domain are the following:"
++
++/usr/sbin/dnssec-triggerd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dnssec_trigger policy is very flexible allowing users to setup their dnssec_trigger processes in as secure a method as possible.
++.PP
++The following process types are defined for dnssec_trigger:
++
++.EX
++.B dnssec_trigger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -21850,27 +23523,9 @@ index 0000000..5b194fb
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dnssec_trigger policy is very flexible allowing users to setup their dnssec_trigger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dnssec_trigger:
-+
-+.EX
-+.B dnssec_trigger_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dnssec_trigger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dnssec_trigger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dnssec_trigger_var_run_t
@@ -21904,6 +23559,8 @@ index 0000000..5b194fb
+ /etc/ethers
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -21925,33 +23582,46 @@ index 0000000..5b194fb
+selinux(8), dnssec_trigger(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dovecot_auth_selinux.8 b/man/man8/dovecot_auth_selinux.8
new file mode 100644
-index 0000000..3c8fcbf
+index 0000000..95cf9f0
--- /dev/null
+++ b/man/man8/dovecot_auth_selinux.8
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,157 @@
+.TH "dovecot_auth_selinux" "8" "dovecot_auth" "dwalsh at redhat.com" "dovecot_auth SELinux Policy documentation"
+.SH "NAME"
+dovecot_auth_selinux \- Security Enhanced Linux Policy for the dovecot_auth processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dovecot_auth processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dovecot_auth processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dovecot_auth processes execute with the dovecot_auth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep dovecot_auth_t
+
++
++.SH "ENTRYPOINTS"
++
++The dovecot_auth_t SELinux type can be entered via the "dovecot_auth_exec_t" file type. The default entrypoint paths for the dovecot_auth_t domain are the following:"
++
++/usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dovecot_auth_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dovecot_auth policy is very flexible allowing users to setup their dovecot_auth processes in as secure a method as possible.
++.PP
++The following process types are defined for dovecot_auth:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dovecot_auth_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -21991,27 +23661,9 @@ index 0000000..3c8fcbf
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dovecot_auth policy is very flexible allowing users to setup their dovecot_auth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dovecot_auth:
-+
-+.EX
-+.B dovecot_auth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dovecot_auth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dovecot_auth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dovecot_auth_tmp_t
@@ -22055,6 +23707,22 @@ index 0000000..3c8fcbf
+ /var/run/pcscd\.comm
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dovecot_auth_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -22074,37 +23742,50 @@ index 0000000..3c8fcbf
+
+.SH "SEE ALSO"
+selinux(8), dovecot_auth(8), semanage(8), restorecon(8), chcon(1)
-+, dovecot_selinux(8)
++, dovecot_selinux(8), dovecot_selinux(8), dovecot_deliver_selinux(8)
\ No newline at end of file
diff --git a/man/man8/dovecot_deliver_selinux.8 b/man/man8/dovecot_deliver_selinux.8
new file mode 100644
-index 0000000..9f179d5
+index 0000000..22c1453
--- /dev/null
+++ b/man/man8/dovecot_deliver_selinux.8
-@@ -0,0 +1,140 @@
+@@ -0,0 +1,163 @@
+.TH "dovecot_deliver_selinux" "8" "dovecot_deliver" "dwalsh at redhat.com" "dovecot_deliver SELinux Policy documentation"
+.SH "NAME"
+dovecot_deliver_selinux \- Security Enhanced Linux Policy for the dovecot_deliver processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dovecot_deliver processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dovecot_deliver processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dovecot_deliver processes execute with the dovecot_deliver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep dovecot_deliver_t
+
++
++.SH "ENTRYPOINTS"
++
++The dovecot_deliver_t SELinux type can be entered via the "dovecot_deliver_exec_t" file type. The default entrypoint paths for the dovecot_deliver_t domain are the following:"
++
++/usr/libexec/dovecot/dovecot-lda, /usr/libexec/dovecot/deliver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dovecot_deliver_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dovecot_deliver policy is very flexible allowing users to setup their dovecot_deliver processes in as secure a method as possible.
++.PP
++The following process types are defined for dovecot_deliver:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dovecot_deliver_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -22144,27 +23825,9 @@ index 0000000..9f179d5
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dovecot_deliver policy is very flexible allowing users to setup their dovecot_deliver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dovecot_deliver:
-+
-+.EX
-+.B dovecot_deliver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dovecot_deliver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dovecot_deliver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B data_home_t
@@ -22173,6 +23836,10 @@ index 0000000..9f179d5
+.br
+ /home/[^/]*/\.local/share(/.*)?
+.br
++ /home/dwalsh/\.local/share(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share(/.*)?
++.br
+
+.br
+.B dovecot_deliver_tmp_t
@@ -22185,6 +23852,10 @@ index 0000000..9f179d5
+.br
+ /home/[^/]*/Maildir(/.*)?
+.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
+
+.br
+.B mail_spool_t
@@ -22201,6 +23872,26 @@ index 0000000..9f179d5
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dovecot_deliver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -22221,37 +23912,50 @@ index 0000000..9f179d5
+
+.SH "SEE ALSO"
+selinux(8), dovecot_deliver(8), semanage(8), restorecon(8), chcon(1)
-+, dovecot_selinux(8)
++, dovecot_selinux(8), dovecot_selinux(8), dovecot_auth_selinux(8)
\ No newline at end of file
diff --git a/man/man8/dovecot_selinux.8 b/man/man8/dovecot_selinux.8
new file mode 100644
-index 0000000..de8d02e
+index 0000000..c4cc83d
--- /dev/null
+++ b/man/man8/dovecot_selinux.8
-@@ -0,0 +1,314 @@
+@@ -0,0 +1,337 @@
+.TH "dovecot_selinux" "8" "dovecot" "dwalsh at redhat.com" "dovecot SELinux Policy documentation"
+.SH "NAME"
+dovecot_selinux \- Security Enhanced Linux Policy for the dovecot processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dovecot processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dovecot processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dovecot processes execute with the dovecot_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep dovecot_t
++
++
++.SH "ENTRYPOINTS"
++
++The dovecot_t SELinux type can be entered via the "dovecot_exec_t" file type. The default entrypoint paths for the dovecot_t domain are the following:"
+
++/usr/sbin/dovecot
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dovecot policy is very flexible allowing users to setup their dovecot processes in as secure a method as possible.
++.PP
++The following process types are defined for dovecot:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dovecot_deliver_t, dovecot_auth_t, dovecot_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -22415,27 +24119,9 @@ index 0000000..de8d02e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dovecot policy is very flexible allowing users to setup their dovecot processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dovecot:
-+
-+.EX
-+.B dovecot_deliver_t, dovecot_auth_t, dovecot_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dovecot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dovecot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B data_home_t
@@ -22444,6 +24130,10 @@ index 0000000..de8d02e
+.br
+ /home/[^/]*/\.local/share(/.*)?
+.br
++ /home/dwalsh/\.local/share(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share(/.*)?
++.br
+
+.br
+.B dovecot_spool_t
@@ -22506,6 +24196,10 @@ index 0000000..de8d02e
+.br
+ /home/[^/]*/Maildir(/.*)?
+.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
+
+.br
+.B mail_spool_t
@@ -22522,6 +24216,26 @@ index 0000000..de8d02e
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -22546,19 +24260,46 @@ index 0000000..de8d02e
\ No newline at end of file
diff --git a/man/man8/drbd_selinux.8 b/man/man8/drbd_selinux.8
new file mode 100644
-index 0000000..37020af
+index 0000000..9bb875f
--- /dev/null
+++ b/man/man8/drbd_selinux.8
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,118 @@
+.TH "drbd_selinux" "8" "drbd" "dwalsh at redhat.com" "drbd SELinux Policy documentation"
+.SH "NAME"
+drbd_selinux \- Security Enhanced Linux Policy for the drbd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the drbd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the drbd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The drbd processes execute with the drbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep drbd_t
++
++
++.SH "ENTRYPOINTS"
++
++The drbd_t SELinux type can be entered via the "drbd_exec_t" file type. The default entrypoint paths for the drbd_t domain are the following:"
++
++/usr/sbin/drbdadm, /sbin/drbdsetup, /sbin/drbdadm, /usr/lib/ocf/resource.\d/linbit/drbd, /usr/sbin/drbdsetup
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux drbd policy is very flexible allowing users to setup their drbd processes in as secure a method as possible.
++.PP
++The following process types are defined for drbd:
++
++.EX
++.B drbd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -22606,27 +24347,9 @@ index 0000000..37020af
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux drbd policy is very flexible allowing users to setup their drbd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for drbd:
-+
-+.EX
-+.B drbd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type drbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type drbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B drbd_lock_t
@@ -22638,6 +24361,8 @@ index 0000000..37020af
+ /var/lib/drbd(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -22659,33 +24384,46 @@ index 0000000..37020af
+selinux(8), drbd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dspam_selinux.8 b/man/man8/dspam_selinux.8
new file mode 100644
-index 0000000..7407c94
+index 0000000..72d2e6c
--- /dev/null
+++ b/man/man8/dspam_selinux.8
-@@ -0,0 +1,153 @@
+@@ -0,0 +1,164 @@
+.TH "dspam_selinux" "8" "dspam" "dwalsh at redhat.com" "dspam SELinux Policy documentation"
+.SH "NAME"
+dspam_selinux \- Security Enhanced Linux Policy for the dspam processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the dspam processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the dspam processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The dspam processes execute with the dspam_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dspam_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep dspam_t
+
++
++.SH "ENTRYPOINTS"
++
++The dspam_t SELinux type can be entered via the "dspam_exec_t" file type. The default entrypoint paths for the dspam_t domain are the following:"
++
++/usr/bin/dspam
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the dspam_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux dspam policy is very flexible allowing users to setup their dspam processes in as secure a method as possible.
++.PP
++The following process types are defined for dspam:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B dspam_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -22753,27 +24491,9 @@ index 0000000..7407c94
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux dspam policy is very flexible allowing users to setup their dspam processes in as secure a method as possible.
-+.PP
-+The following process types are defined for dspam:
-+
-+.EX
-+.B dspam_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type dspam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type dspam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dspam_log_t
@@ -22797,6 +24517,22 @@ index 0000000..7407c94
+.B httpd_dspam_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dspam_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dspam_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -22818,43 +24554,56 @@ index 0000000..7407c94
+selinux(8), dspam(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/entropyd_selinux.8 b/man/man8/entropyd_selinux.8
new file mode 100644
-index 0000000..55c691d
+index 0000000..2eadb33
--- /dev/null
+++ b/man/man8/entropyd_selinux.8
-@@ -0,0 +1,130 @@
+@@ -0,0 +1,141 @@
+.TH "entropyd_selinux" "8" "entropyd" "dwalsh at redhat.com" "entropyd SELinux Policy documentation"
+.SH "NAME"
+entropyd_selinux \- Security Enhanced Linux Policy for the entropyd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the entropyd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the entropyd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. entropyd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run entropyd with the tightest access possible.
++The entropyd processes execute with the entropyd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow the use of the audio devices as the source for the entropy feeds, you must turn on the entropyd_use_audio boolean.
++.B ps -eZ | grep entropyd_t
+
-+.EX
-+.B setsebool -P entropyd_use_audio 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The entropyd_t SELinux type can be entered via the "entropyd_exec_t" file type. The default entrypoint paths for the entropyd_t domain are the following:"
++
++/usr/sbin/audio-entropyd, /usr/sbin/haveged
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the entropyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux entropyd policy is very flexible allowing users to setup their entropyd processes in as secure a method as possible.
++.PP
++The following process types are defined for entropyd:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B entropyd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. entropyd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run entropyd with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the entropyd_t, you must turn on the kerberos_enabled boolean.
++If you want to allow the use of the audio devices as the source for the entropy feeds, you must turn on the entropyd_use_audio boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P entropyd_use_audio 1
+.EE
+
+.SH FILE CONTEXTS
@@ -22899,27 +24648,9 @@ index 0000000..55c691d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux entropyd policy is very flexible allowing users to setup their entropyd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for entropyd:
-+
-+.EX
-+.B entropyd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type entropyd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type entropyd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B entropyd_var_run_t
@@ -22929,6 +24660,22 @@ index 0000000..55c691d
+ /var/run/audio-entropyd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the entropyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the entropyd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -22955,19 +24702,46 @@ index 0000000..55c691d
\ No newline at end of file
diff --git a/man/man8/eventlogd_selinux.8 b/man/man8/eventlogd_selinux.8
new file mode 100644
-index 0000000..4d05864
+index 0000000..b260cc4
--- /dev/null
+++ b/man/man8/eventlogd_selinux.8
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,124 @@
+.TH "eventlogd_selinux" "8" "eventlogd" "dwalsh at redhat.com" "eventlogd SELinux Policy documentation"
+.SH "NAME"
+eventlogd_selinux \- Security Enhanced Linux Policy for the eventlogd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the eventlogd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the eventlogd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The eventlogd processes execute with the eventlogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep eventlogd_t
++
++
++.SH "ENTRYPOINTS"
++
++The eventlogd_t SELinux type can be entered via the "eventlogd_exec_t" file type. The default entrypoint paths for the eventlogd_t domain are the following:"
++
++/usr/sbin/eventlogd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux eventlogd policy is very flexible allowing users to setup their eventlogd processes in as secure a method as possible.
++.PP
++The following process types are defined for eventlogd:
++
++.EX
++.B eventlogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -23019,27 +24793,9 @@ index 0000000..4d05864
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux eventlogd policy is very flexible allowing users to setup their eventlogd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for eventlogd:
-+
-+.EX
-+.B eventlogd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type eventlogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type eventlogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B eventlogd_var_lib_t
@@ -23053,6 +24809,8 @@ index 0000000..4d05864
+ /var/run/eventlogd.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -23074,19 +24832,46 @@ index 0000000..4d05864
+selinux(8), eventlogd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/evtchnd_selinux.8 b/man/man8/evtchnd_selinux.8
new file mode 100644
-index 0000000..6109cfb
+index 0000000..606fe52
--- /dev/null
+++ b/man/man8/evtchnd_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "evtchnd_selinux" "8" "evtchnd" "dwalsh at redhat.com" "evtchnd SELinux Policy documentation"
+.SH "NAME"
+evtchnd_selinux \- Security Enhanced Linux Policy for the evtchnd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the evtchnd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the evtchnd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The evtchnd processes execute with the evtchnd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep evtchnd_t
++
++
++.SH "ENTRYPOINTS"
++
++The evtchnd_t SELinux type can be entered via the "evtchnd_exec_t" file type. The default entrypoint paths for the evtchnd_t domain are the following:"
++
++/usr/sbin/evtchnd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux evtchnd policy is very flexible allowing users to setup their evtchnd processes in as secure a method as possible.
++.PP
++The following process types are defined for evtchnd:
++
++.EX
++.B evtchnd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -23134,27 +24919,9 @@ index 0000000..6109cfb
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux evtchnd policy is very flexible allowing users to setup their evtchnd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for evtchnd:
-+
-+.EX
-+.B evtchnd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type evtchnd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type evtchnd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B evtchnd_var_log_t
@@ -23170,6 +24937,8 @@ index 0000000..6109cfb
+ /var/run/evtchnd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -23191,17 +24960,46 @@ index 0000000..6109cfb
+selinux(8), evtchnd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/exim_selinux.8 b/man/man8/exim_selinux.8
new file mode 100644
-index 0000000..f4f4fa7
+index 0000000..3184007
--- /dev/null
+++ b/man/man8/exim_selinux.8
-@@ -0,0 +1,232 @@
+@@ -0,0 +1,251 @@
+.TH "exim_selinux" "8" "exim" "dwalsh at redhat.com" "exim SELinux Policy documentation"
+.SH "NAME"
+exim_selinux \- Security Enhanced Linux Policy for the exim processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the exim processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the exim processes via flexible mandatory access control.
++
++The exim processes execute with the exim_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep exim_t
++
++
++.SH "ENTRYPOINTS"
++
++The exim_t SELinux type can be entered via the "exim_exec_t" file type. The default entrypoint paths for the exim_t domain are the following:"
++
++/usr/sbin/exim_tidydb, /usr/sbin/exim[0-9]?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux exim policy is very flexible allowing users to setup their exim processes in as secure a method as possible.
++.PP
++The following process types are defined for exim:
++
++.EX
++.B exim_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. exim policy is extremely flexible and has several booleans that allow you to manipulate the policy and run exim with the tightest access possible.
@@ -23228,22 +25026,6 @@ index 0000000..f4f4fa7
+.B setsebool -P exim_manage_user_files 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the exim_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the exim_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -23322,27 +25104,9 @@ index 0000000..f4f4fa7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux exim policy is very flexible allowing users to setup their exim processes in as secure a method as possible.
-+.PP
-+The following process types are defined for exim:
-+
-+.EX
-+.B exim_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type exim_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type exim_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B arpwatch_tmp_t
@@ -23383,6 +25147,10 @@ index 0000000..f4f4fa7
+.br
+ /home/[^/]*/Maildir(/.*)?
+.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
+
+.br
+.B mail_spool_t
@@ -23403,6 +25171,26 @@ index 0000000..f4f4fa7
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the exim_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the exim_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -23430,19 +25218,46 @@ index 0000000..f4f4fa7
\ No newline at end of file
diff --git a/man/man8/fail2ban_client_selinux.8 b/man/man8/fail2ban_client_selinux.8
new file mode 100644
-index 0000000..04741bf
+index 0000000..8b96263
--- /dev/null
+++ b/man/man8/fail2ban_client_selinux.8
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,89 @@
+.TH "fail2ban_client_selinux" "8" "fail2ban_client" "dwalsh at redhat.com" "fail2ban_client SELinux Policy documentation"
+.SH "NAME"
+fail2ban_client_selinux \- Security Enhanced Linux Policy for the fail2ban_client processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the fail2ban_client processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the fail2ban_client processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The fail2ban_client processes execute with the fail2ban_client_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fail2ban_client_t
++
++
++.SH "ENTRYPOINTS"
++
++The fail2ban_client_t SELinux type can be entered via the "fail2ban_client_exec_t" file type. The default entrypoint paths for the fail2ban_client_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fail2ban_client policy is very flexible allowing users to setup their fail2ban_client processes in as secure a method as possible.
++.PP
++The following process types are defined for fail2ban_client:
++
++.EX
++.B fail2ban_client_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -23470,27 +25285,11 @@ index 0000000..04741bf
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fail2ban_client policy is very flexible allowing users to setup their fail2ban_client processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fail2ban_client:
-+
-+.EX
-+.B fail2ban_client_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type fail2ban_client_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type fail2ban_client_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -23511,37 +25310,50 @@ index 0000000..04741bf
+
+.SH "SEE ALSO"
+selinux(8), fail2ban_client(8), semanage(8), restorecon(8), chcon(1)
-+, fail2ban_selinux(8)
++, fail2ban_selinux(8), fail2ban_selinux(8)
\ No newline at end of file
diff --git a/man/man8/fail2ban_selinux.8 b/man/man8/fail2ban_selinux.8
new file mode 100644
-index 0000000..2627ff6
+index 0000000..e244054
--- /dev/null
+++ b/man/man8/fail2ban_selinux.8
-@@ -0,0 +1,192 @@
+@@ -0,0 +1,203 @@
+.TH "fail2ban_selinux" "8" "fail2ban" "dwalsh at redhat.com" "fail2ban SELinux Policy documentation"
+.SH "NAME"
+fail2ban_selinux \- Security Enhanced Linux Policy for the fail2ban processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the fail2ban processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the fail2ban processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The fail2ban processes execute with the fail2ban_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fail2ban_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep fail2ban_t
++
++
++.SH "ENTRYPOINTS"
++
++The fail2ban_t SELinux type can be entered via the "fail2ban_exec_t" file type. The default entrypoint paths for the fail2ban_t domain are the following:"
+
++/usr/bin/fail2ban-server, /usr/bin/fail2ban
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the fail2ban_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fail2ban policy is very flexible allowing users to setup their fail2ban processes in as secure a method as possible.
++.PP
++The following process types are defined for fail2ban:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B fail2ban_client_t, fail2ban_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -23621,27 +25433,9 @@ index 0000000..2627ff6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fail2ban policy is very flexible allowing users to setup their fail2ban processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fail2ban:
-+
-+.EX
-+.B fail2ban_client_t, fail2ban_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type fail2ban_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type fail2ban_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B fail2ban_log_t
@@ -23691,6 +25485,22 @@ index 0000000..2627ff6
+ /etc/ethers
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fail2ban_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the fail2ban_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -23714,19 +25524,46 @@ index 0000000..2627ff6
\ No newline at end of file
diff --git a/man/man8/fcoemon_selinux.8 b/man/man8/fcoemon_selinux.8
new file mode 100644
-index 0000000..9dc9954
+index 0000000..458b15e
--- /dev/null
+++ b/man/man8/fcoemon_selinux.8
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,108 @@
+.TH "fcoemon_selinux" "8" "fcoemon" "dwalsh at redhat.com" "fcoemon SELinux Policy documentation"
+.SH "NAME"
+fcoemon_selinux \- Security Enhanced Linux Policy for the fcoemon processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the fcoemon processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the fcoemon processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The fcoemon processes execute with the fcoemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fcoemon_t
++
++
++.SH "ENTRYPOINTS"
++
++The fcoemon_t SELinux type can be entered via the "fcoemon_exec_t" file type. The default entrypoint paths for the fcoemon_t domain are the following:"
++
++/usr/sbin/fcoemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fcoemon policy is very flexible allowing users to setup their fcoemon processes in as secure a method as possible.
++.PP
++The following process types are defined for fcoemon:
++
++.EX
++.B fcoemon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -23766,27 +25603,9 @@ index 0000000..9dc9954
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fcoemon policy is very flexible allowing users to setup their fcoemon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fcoemon:
-+
-+.EX
-+.B fcoemon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type fcoemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type fcoemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B fcoemon_var_run_t
@@ -23796,6 +25615,8 @@ index 0000000..9dc9954
+ /var/run/fcoemon\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -23817,50 +25638,63 @@ index 0000000..9dc9954
+selinux(8), fcoemon(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/fenced_selinux.8 b/man/man8/fenced_selinux.8
new file mode 100644
-index 0000000..de66206
+index 0000000..f6e4386
--- /dev/null
+++ b/man/man8/fenced_selinux.8
-@@ -0,0 +1,211 @@
+@@ -0,0 +1,222 @@
+.TH "fenced_selinux" "8" "fenced" "dwalsh at redhat.com" "fenced SELinux Policy documentation"
+.SH "NAME"
+fenced_selinux \- Security Enhanced Linux Policy for the fenced processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the fenced processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the fenced processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. fenced policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fenced with the tightest access possible.
++The fenced processes execute with the fenced_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
++.B ps -eZ | grep fenced_t
+
-+.EX
-+.B setsebool -P fenced_can_ssh 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The fenced_t SELinux type can be entered via the "fenced_exec_t" file type. The default entrypoint paths for the fenced_t domain are the following:"
++
++/usr/sbin/fence_tool, /usr/sbin/fence_node, /usr/sbin/fenced
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow fenced domain to connect to the network using TCP, you must turn on the fenced_can_network_connect boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fenced policy is very flexible allowing users to setup their fenced processes in as secure a method as possible.
++.PP
++The following process types are defined for fenced:
+
+.EX
-+.B setsebool -P fenced_can_network_connect 1
++.B fenced_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. fenced policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fenced with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fenced_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P fenced_can_ssh 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the fenced_t, you must turn on the kerberos_enabled boolean.
++If you want to allow fenced domain to connect to the network using TCP, you must turn on the fenced_can_network_connect boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P fenced_can_network_connect 1
+.EE
+
+.SH FILE CONTEXTS
@@ -23937,27 +25771,9 @@ index 0000000..de66206
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fenced policy is very flexible allowing users to setup their fenced processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fenced:
-+
-+.EX
-+.B fenced_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type fenced_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type fenced_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cluster_var_lib_t
@@ -24009,6 +25825,22 @@ index 0000000..de66206
+ /usr/share/snmp/mibs/\.index
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fenced_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the fenced_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -24035,19 +25867,46 @@ index 0000000..de66206
\ No newline at end of file
diff --git a/man/man8/fetchmail_selinux.8 b/man/man8/fetchmail_selinux.8
new file mode 100644
-index 0000000..468a155
+index 0000000..fdc79d0
--- /dev/null
+++ b/man/man8/fetchmail_selinux.8
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,146 @@
+.TH "fetchmail_selinux" "8" "fetchmail" "dwalsh at redhat.com" "fetchmail SELinux Policy documentation"
+.SH "NAME"
+fetchmail_selinux \- Security Enhanced Linux Policy for the fetchmail processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the fetchmail processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the fetchmail processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The fetchmail processes execute with the fetchmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fetchmail_t
++
++
++.SH "ENTRYPOINTS"
++
++The fetchmail_t SELinux type can be entered via the "fetchmail_exec_t" file type. The default entrypoint paths for the fetchmail_t domain are the following:"
++
++/usr/bin/fetchmail
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fetchmail policy is very flexible allowing users to setup their fetchmail processes in as secure a method as possible.
++.PP
++The following process types are defined for fetchmail:
++
++.EX
++.B fetchmail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -24111,27 +25970,9 @@ index 0000000..468a155
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fetchmail policy is very flexible allowing users to setup their fetchmail processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fetchmail:
-+
-+.EX
-+.B fetchmail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type fetchmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type fetchmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B fetchmail_uidl_cache_t
@@ -24155,6 +25996,8 @@ index 0000000..468a155
+ /var/log/sendmail\.st
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -24176,33 +26019,46 @@ index 0000000..468a155
+selinux(8), fetchmail(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/fingerd_selinux.8 b/man/man8/fingerd_selinux.8
new file mode 100644
-index 0000000..2c1e040
+index 0000000..a9896ce
--- /dev/null
+++ b/man/man8/fingerd_selinux.8
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,166 @@
+.TH "fingerd_selinux" "8" "fingerd" "dwalsh at redhat.com" "fingerd SELinux Policy documentation"
+.SH "NAME"
+fingerd_selinux \- Security Enhanced Linux Policy for the fingerd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the fingerd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the fingerd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The fingerd processes execute with the fingerd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fingerd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep fingerd_t
++
++
++.SH "ENTRYPOINTS"
+
++The fingerd_t SELinux type can be entered via the "fingerd_exec_t" file type. The default entrypoint paths for the fingerd_t domain are the following:"
++
++/etc/cron\.weekly/(c)?fingerd, /usr/sbin/[cef]fingerd, /usr/sbin/in\.fingerd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the fingerd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible.
++.PP
++The following process types are defined for fingerd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B fingerd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -24281,27 +26137,9 @@ index 0000000..2c1e040
+Default Defined Ports:
+tcp 79
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fingerd:
-+
-+.EX
-+.B fingerd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type fingerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type fingerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B fingerd_log_t
@@ -24313,6 +26151,22 @@ index 0000000..2c1e040
+.B fingerd_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fingerd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the fingerd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -24337,33 +26191,46 @@ index 0000000..2c1e040
+selinux(8), fingerd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/firewalld_selinux.8 b/man/man8/firewalld_selinux.8
new file mode 100644
-index 0000000..706011a
+index 0000000..3bc72bd
--- /dev/null
+++ b/man/man8/firewalld_selinux.8
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,161 @@
+.TH "firewalld_selinux" "8" "firewalld" "dwalsh at redhat.com" "firewalld SELinux Policy documentation"
+.SH "NAME"
+firewalld_selinux \- Security Enhanced Linux Policy for the firewalld processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the firewalld processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the firewalld processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The firewalld processes execute with the firewalld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep firewalld_t
+
++
++.SH "ENTRYPOINTS"
++
++The firewalld_t SELinux type can be entered via the "firewalld_exec_t" file type. The default entrypoint paths for the firewalld_t domain are the following:"
++
++/usr/sbin/firewalld
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux firewalld policy is very flexible allowing users to setup their firewalld processes in as secure a method as possible.
++.PP
++The following process types are defined for firewalld:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B firewallgui_t, firewalld_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -24435,27 +26302,9 @@ index 0000000..706011a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux firewalld policy is very flexible allowing users to setup their firewalld processes in as secure a method as possible.
-+.PP
-+The following process types are defined for firewalld:
-+
-+.EX
-+.B firewallgui_t, firewalld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type firewalld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type firewalld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B firewalld_etc_rw_t
@@ -24471,6 +26320,22 @@ index 0000000..706011a
+ /var/run/firewalld\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -24494,33 +26359,46 @@ index 0000000..706011a
\ No newline at end of file
diff --git a/man/man8/firewallgui_selinux.8 b/man/man8/firewallgui_selinux.8
new file mode 100644
-index 0000000..9e669ae
+index 0000000..04555ba
--- /dev/null
+++ b/man/man8/firewallgui_selinux.8
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,136 @@
+.TH "firewallgui_selinux" "8" "firewallgui" "dwalsh at redhat.com" "firewallgui SELinux Policy documentation"
+.SH "NAME"
+firewallgui_selinux \- Security Enhanced Linux Policy for the firewallgui processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the firewallgui processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the firewallgui processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The firewallgui processes execute with the firewallgui_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep firewallgui_t
++
++
++.SH "ENTRYPOINTS"
++
++The firewallgui_t SELinux type can be entered via the "firewallgui_exec_t" file type. The default entrypoint paths for the firewallgui_t domain are the following:"
+
++/usr/share/system-config-firewall/system-config-firewall-mechanism.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux firewallgui policy is very flexible allowing users to setup their firewallgui processes in as secure a method as possible.
++.PP
++The following process types are defined for firewallgui:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B firewallgui_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -24556,27 +26434,9 @@ index 0000000..9e669ae
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux firewallgui policy is very flexible allowing users to setup their firewallgui processes in as secure a method as possible.
-+.PP
-+The following process types are defined for firewallgui:
-+
-+.EX
-+.B firewallgui_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type firewallgui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type firewallgui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B firewallgui_tmp_t
@@ -24604,6 +26464,22 @@ index 0000000..9e669ae
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -24625,19 +26501,46 @@ index 0000000..9e669ae
+selinux(8), firewallgui(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/firstboot_selinux.8 b/man/man8/firstboot_selinux.8
new file mode 100644
-index 0000000..32659cf
+index 0000000..d484fe6
--- /dev/null
+++ b/man/man8/firstboot_selinux.8
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,106 @@
+.TH "firstboot_selinux" "8" "firstboot" "dwalsh at redhat.com" "firstboot SELinux Policy documentation"
+.SH "NAME"
+firstboot_selinux \- Security Enhanced Linux Policy for the firstboot processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the firstboot processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the firstboot processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The firstboot processes execute with the firstboot_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep firstboot_t
++
++
++.SH "ENTRYPOINTS"
++
++The firstboot_t SELinux type can be entered via the "proc_type,file_type,mtrr_device_t,sysctl_type,filesystem_type,firstboot_exec_t,unlabeled_t" file types. The default entrypoint paths for the firstboot_t domain are the following:"
++
++/dev/cpu/mtrr, /usr/share/firstboot/firstboot\.py, /usr/sbin/firstboot
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux firstboot policy is very flexible allowing users to setup their firstboot processes in as secure a method as possible.
++.PP
++The following process types are defined for firstboot:
++
++.EX
++.B firstboot_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -24677,27 +26580,9 @@ index 0000000..32659cf
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux firstboot policy is very flexible allowing users to setup their firstboot processes in as secure a method as possible.
-+.PP
-+The following process types are defined for firstboot:
-+
-+.EX
-+.B firstboot_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type firstboot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type firstboot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B file_type
@@ -24705,6 +26590,8 @@ index 0000000..32659cf
+ all files on the system
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -24726,33 +26613,46 @@ index 0000000..32659cf
+selinux(8), firstboot(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/foghorn_selinux.8 b/man/man8/foghorn_selinux.8
new file mode 100644
-index 0000000..ae8b7b6
+index 0000000..92a6e61
--- /dev/null
+++ b/man/man8/foghorn_selinux.8
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,144 @@
+.TH "foghorn_selinux" "8" "foghorn" "dwalsh at redhat.com" "foghorn SELinux Policy documentation"
+.SH "NAME"
+foghorn_selinux \- Security Enhanced Linux Policy for the foghorn processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the foghorn processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the foghorn processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The foghorn processes execute with the foghorn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the foghorn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep foghorn_t
++
++
++.SH "ENTRYPOINTS"
++
++The foghorn_t SELinux type can be entered via the "foghorn_exec_t" file type. The default entrypoint paths for the foghorn_t domain are the following:"
+
++/usr/sbin/foghorn
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the foghorn_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux foghorn policy is very flexible allowing users to setup their foghorn processes in as secure a method as possible.
++.PP
++The following process types are defined for foghorn:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B foghorn_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -24804,27 +26704,9 @@ index 0000000..ae8b7b6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux foghorn policy is very flexible allowing users to setup their foghorn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for foghorn:
-+
-+.EX
-+.B foghorn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type foghorn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type foghorn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cluster_var_lib_t
@@ -24844,6 +26726,22 @@ index 0000000..ae8b7b6
+.B foghorn_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the foghorn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the foghorn_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -24865,33 +26763,46 @@ index 0000000..ae8b7b6
+selinux(8), foghorn(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/fprintd_selinux.8 b/man/man8/fprintd_selinux.8
new file mode 100644
-index 0000000..db48a6a
+index 0000000..0edb313
--- /dev/null
+++ b/man/man8/fprintd_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,116 @@
+.TH "fprintd_selinux" "8" "fprintd" "dwalsh at redhat.com" "fprintd SELinux Policy documentation"
+.SH "NAME"
+fprintd_selinux \- Security Enhanced Linux Policy for the fprintd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the fprintd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the fprintd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The fprintd processes execute with the fprintd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fprintd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep fprintd_t
++
++
++.SH "ENTRYPOINTS"
++
++The fprintd_t SELinux type can be entered via the "fprintd_exec_t" file type. The default entrypoint paths for the fprintd_t domain are the following:"
+
++/usr/libexec/fprintd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the fprintd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fprintd policy is very flexible allowing users to setup their fprintd processes in as secure a method as possible.
++.PP
++The following process types are defined for fprintd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B fprintd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -24927,27 +26838,9 @@ index 0000000..db48a6a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fprintd policy is very flexible allowing users to setup their fprintd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fprintd:
-+
-+.EX
-+.B fprintd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type fprintd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type fprintd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B fprintd_var_lib_t
@@ -24955,6 +26848,22 @@ index 0000000..db48a6a
+ /var/lib/fprint(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fprintd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the fprintd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -24976,33 +26885,46 @@ index 0000000..db48a6a
+selinux(8), fprintd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/freshclam_selinux.8 b/man/man8/freshclam_selinux.8
new file mode 100644
-index 0000000..85a3f70
+index 0000000..5bb9250
--- /dev/null
+++ b/man/man8/freshclam_selinux.8
-@@ -0,0 +1,143 @@
+@@ -0,0 +1,154 @@
+.TH "freshclam_selinux" "8" "freshclam" "dwalsh at redhat.com" "freshclam SELinux Policy documentation"
+.SH "NAME"
+freshclam_selinux \- Security Enhanced Linux Policy for the freshclam processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the freshclam processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the freshclam processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The freshclam processes execute with the freshclam_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the freshclam_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep freshclam_t
++
++
++.SH "ENTRYPOINTS"
+
++The freshclam_t SELinux type can be entered via the "freshclam_exec_t" file type. The default entrypoint paths for the freshclam_t domain are the following:"
++
++/usr/bin/freshclam
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the freshclam_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux freshclam policy is very flexible allowing users to setup their freshclam processes in as secure a method as possible.
++.PP
++The following process types are defined for freshclam:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B freshclam_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -25042,27 +26964,9 @@ index 0000000..85a3f70
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux freshclam policy is very flexible allowing users to setup their freshclam processes in as secure a method as possible.
-+.PP
-+The following process types are defined for freshclam:
-+
-+.EX
-+.B freshclam_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type freshclam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type freshclam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B clamd_var_lib_t
@@ -25104,6 +27008,22 @@ index 0000000..85a3f70
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the freshclam_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the freshclam_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -25125,19 +27045,46 @@ index 0000000..85a3f70
+selinux(8), freshclam(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/fsadm_selinux.8 b/man/man8/fsadm_selinux.8
new file mode 100644
-index 0000000..b4f537d
+index 0000000..a449e1c
--- /dev/null
+++ b/man/man8/fsadm_selinux.8
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,260 @@
+.TH "fsadm_selinux" "8" "fsadm" "dwalsh at redhat.com" "fsadm SELinux Policy documentation"
+.SH "NAME"
+fsadm_selinux \- Security Enhanced Linux Policy for the fsadm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the fsadm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the fsadm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The fsadm processes execute with the fsadm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fsadm_t
++
++
++.SH "ENTRYPOINTS"
++
++The fsadm_t SELinux type can be entered via the "fsadm_exec_t" file type. The default entrypoint paths for the fsadm_t domain are the following:"
++
++/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/dumpe2fs, /sbin/mkdosfs, /usr/sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /sbin/dosfsck, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /sbin/resize.*fs, /usr/sbin/raidstart, /sbin/mkreiserfs, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /usr/sbin/cfdisk, /sbin/tune2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /sbin/losetup.*, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /usr/sbin/mkfs.*, /sbin/e2label, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/mke2fs, /sbin/fsck.*, /usr/sbin/install-mbr, /usr/s
bin/clubufflush, /sbin/jfs_.*, /usr/sbin/mke4fs, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /sbin/sfdisk, /sbin/e2fsck, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /sbin/cfdisk, /usr/sbin/mkraid, /sbin/hdparm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fsadm policy is very flexible allowing users to setup their fsadm processes in as secure a method as possible.
++.PP
++The following process types are defined for fsadm:
++
++.EX
++.B fsadm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -25160,7 +27107,7 @@ index 0000000..b4f537d
+.br
+.TP 5
+Paths:
-+/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/dumpe2fs, /sbin/mkdosfs, /usr/sbin/mke2fs, /sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /sbin/dosfsck, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /sbin/resize.*fs, /usr/sbin/raidstart, /sbin/mkreiserfs, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /usr/sbin/cfdisk, /sbin/tune2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /sbin/losetup.*, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /usr/sbin/mkfs.*, /sbin/e2label, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/fsck.*, /usr/sbin/install-mbr, /usr/s
bin/clubufflush, /sbin/jfs_.*, /usr/sbin/mke4fs, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /sbin/sfdisk, /sbin/e2fsck, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /sbin/cfdisk, /usr/sbin/mkraid, /sbin/hdparm
++/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/dumpe2fs, /sbin/mkdosfs, /usr/sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /sbin/dosfsck, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /sbin/resize.*fs, /usr/sbin/raidstart, /sbin/mkreiserfs, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /usr/sbin/cfdisk, /sbin/tune2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /sbin/losetup.*, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /usr/sbin/mkfs.*, /sbin/e2label, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/mke2fs, /sbin/fsck.*, /usr/sbin/install-mbr, /usr/s
bin/clubufflush, /sbin/jfs_.*, /usr/sbin/mke4fs, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /sbin/sfdisk, /sbin/e2fsck, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /sbin/cfdisk, /usr/sbin/mkraid, /sbin/hdparm
+
+.EX
+.PP
@@ -25193,27 +27140,9 @@ index 0000000..b4f537d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fsadm policy is very flexible allowing users to setup their fsadm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fsadm:
-+
-+.EX
-+.B fsadm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type fsadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type fsadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B amanda_dumpdates_t
@@ -25359,6 +27288,8 @@ index 0000000..b4f537d
+ /var/lib/xen/images(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -25380,19 +27311,46 @@ index 0000000..b4f537d
+selinux(8), fsadm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/fsdaemon_selinux.8 b/man/man8/fsdaemon_selinux.8
new file mode 100644
-index 0000000..2b3d987
+index 0000000..85c17a0
--- /dev/null
+++ b/man/man8/fsdaemon_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "fsdaemon_selinux" "8" "fsdaemon" "dwalsh at redhat.com" "fsdaemon SELinux Policy documentation"
+.SH "NAME"
+fsdaemon_selinux \- Security Enhanced Linux Policy for the fsdaemon processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the fsdaemon processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the fsdaemon processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The fsdaemon processes execute with the fsdaemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep fsdaemon_t
++
++
++.SH "ENTRYPOINTS"
++
++The fsdaemon_t SELinux type can be entered via the "fsdaemon_exec_t" file type. The default entrypoint paths for the fsdaemon_t domain are the following:"
++
++/usr/sbin/smartd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux fsdaemon policy is very flexible allowing users to setup their fsdaemon processes in as secure a method as possible.
++.PP
++The following process types are defined for fsdaemon:
++
++.EX
++.B fsdaemon_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -25444,27 +27402,9 @@ index 0000000..2b3d987
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux fsdaemon policy is very flexible allowing users to setup their fsdaemon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for fsdaemon:
-+
-+.EX
-+.B fsdaemon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type fsdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type fsdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B fsdaemon_tmp_t
@@ -25476,6 +27416,8 @@ index 0000000..2b3d987
+ /var/run/smartd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -25496,10 +27438,10 @@ index 0000000..2b3d987
+.SH "SEE ALSO"
+selinux(8), fsdaemon(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
-index 5bebd82..3e8fbe7 100644
+index 5bebd82..cc4dd19 100644
--- a/man/man8/ftpd_selinux.8
+++ b/man/man8/ftpd_selinux.8
-@@ -1,65 +1,482 @@
+@@ -1,65 +1,493 @@
-.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "ftpd SELinux policy documentation"
+.TH "ftpd_selinux" "8" "ftpd" "dwalsh at redhat.com" "ftpd SELinux Policy documentation"
.SH "NAME"
@@ -25508,32 +27450,30 @@ index 5bebd82..3e8fbe7 100644
+ftpd_selinux \- Security Enhanced Linux Policy for the ftpd processes
.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ftpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ftpd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. ftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ftpd with the tightest access possible.
++The ftpd processes execute with the ftpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
- .PP
--Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
--.SH FILE_CONTEXTS
-+If you want to allow ftp to read and write files in the user home directories, you must turn on the ftp_home_dir boolean.
++.B ps -eZ | grep ftpd_t
+
-+.EX
-+.B setsebool -P ftp_home_dir 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The ftpd_t SELinux type can be entered via the "ftpd_exec_t" file type. The default entrypoint paths for the ftpd_t domain are the following:"
++
++/usr/sbin/ftpwho, /etc/cron\.monthly/proftpd, /usr/sbin/in\.ftpd, /usr/sbin/proftpd, /usr/kerberos/sbin/ftpd, /usr/sbin/muddleftpd, /usr/sbin/vsftpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
.PP
+-Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
+-.SH FILE_CONTEXTS
+-.PP
-SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files.
-.TP
-Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
-+If you want to allow ftp servers to use cifs used for public file transfer services, you must turn on the ftpd_use_cifs boolean.
-+
-+.EX
-+.B setsebool -P ftpd_use_cifs 1
-+.EE
-+
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
.PP
-.B
-semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
@@ -25542,33 +27482,36 @@ index 5bebd82..3e8fbe7 100644
-restorecon -F -R -v /var/ftp
-.TP
-Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
-+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
++Policy governs the access confined processes have to files.
++SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible.
++.PP
++The following process types are defined for ftpd:
+
+.EX
-+.B setsebool -P sftpd_write_ssh_home 1
++.B ftpd_t, ftpdctl_t
+.EE
-+
.PP
-.B
-semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
-.TP
-.B
-restorecon -F -R -v /var/ftp/incoming
-+If you want to allow ftp servers to connect to mysql database ports, you must turn on the ftpd_connect_db boolean.
-+
-+.EX
-+.B setsebool -P ftpd_connect_db 1
-+.EE
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
--.SH BOOLEANS
+ .SH BOOLEANS
++SELinux policy is customizable based on least access required. ftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ftpd with the tightest access possible.
++
++
.PP
-SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
-.TP
-Allow ftp servers to read and write files with the public_content_rw_t file type.
-+If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC, you must turn on the ftpd_full_access boolean.
++If you want to allow ftp to read and write files in the user home directories, you must turn on the ftp_home_dir boolean.
+
+.EX
-+.B setsebool -P ftpd_full_access 1
++.B setsebool -P ftp_home_dir 1
+.EE
+
.PP
@@ -25576,10 +27519,10 @@ index 5bebd82..3e8fbe7 100644
-setsebool -P allow_ftpd_anon_write on
-.TP
-Allow ftp servers to read or write files in the user home directories.
-+If you want to allow sftp-internal to read and write files in the user home directories, you must turn on the sftpd_enable_homedirs boolean.
++If you want to allow ftp servers to use cifs used for public file transfer services, you must turn on the ftpd_use_cifs boolean.
+
+.EX
-+.B setsebool -P sftpd_enable_homedirs 1
++.B setsebool -P ftpd_use_cifs 1
+.EE
+
.PP
@@ -25587,63 +27530,75 @@ index 5bebd82..3e8fbe7 100644
-setsebool -P ftp_home_dir on
-.TP
-Allow ftp servers to read or write all files on the system.
-+If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean.
++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean.
+
+.EX
-+.B setsebool -P httpd_can_connect_ftp 1
++.B setsebool -P sftpd_write_ssh_home 1
+.EE
+
.PP
-.B
-setsebool -P allow_ftpd_full_access on
-+If you want to allow ftp servers to use bind to all unreserved ports for passive mode, you must turn on the ftpd_use_passive_mode boolean.
++If you want to allow ftp servers to connect to mysql database ports, you must turn on the ftpd_connect_db boolean.
+
+.EX
-+.B setsebool -P ftpd_use_passive_mode 1
++.B setsebool -P ftpd_connect_db 1
+.EE
+
+.PP
-+If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean.
++If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC, you must turn on the ftpd_full_access boolean.
+
+.EX
-+.B setsebool -P ftpd_use_nfs 1
++.B setsebool -P ftpd_full_access 1
+.EE
+
+.PP
-+If you want to allow sftp-internal to login to local users and read/write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean.
++If you want to allow sftp-internal to read and write files in the user home directories, you must turn on the sftpd_enable_homedirs boolean.
+
+.EX
-+.B setsebool -P sftpd_full_access 1
++.B setsebool -P sftpd_enable_homedirs 1
+.EE
+
+.PP
-+If you want to allow ftp servers to connect to all ports > 1023, you must turn on the ftpd_connect_all_unreserved boolean.
++If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean.
+
+.EX
-+.B setsebool -P ftpd_connect_all_unreserved 1
++.B setsebool -P httpd_can_connect_ftp 1
+.EE
+
+.PP
-+If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
++If you want to allow ftp servers to use bind to all unreserved ports for passive mode, you must turn on the ftpd_use_passive_mode boolean.
+
+.EX
-+.B setsebool -P httpd_enable_ftp_server 1
++.B setsebool -P ftpd_use_passive_mode 1
+.EE
+
-+.SH NSSWITCH DOMAIN
++.PP
++If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean.
++
++.EX
++.B setsebool -P ftpd_use_nfs 1
++.EE
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow sftp-internal to login to local users and read/write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P sftpd_full_access 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the ftpd_t, you must turn on the kerberos_enabled boolean.
++If you want to allow ftp servers to connect to all ports > 1023, you must turn on the ftpd_connect_all_unreserved boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P ftpd_connect_all_unreserved 1
++.EE
++
++.PP
++If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
++
++.EX
++.B setsebool -P httpd_enable_ftp_server 1
+.EE
+
+.SH SHARING FILES
@@ -25675,7 +27630,8 @@ index 5bebd82..3e8fbe7 100644
.PP
-This manual page was written by Dan Walsh <dwalsh at redhat.com>.
+If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean.
-+
+
+-.SH "SEE ALSO"
+.EX
+.B setsebool -P tftp_anon_write 1
+.EE
@@ -25738,10 +27694,11 @@ index 5bebd82..3e8fbe7 100644
+/etc/rc\.d/init\.d/proftpd, /etc/rc\.d/init\.d/vsftpd
+
+.EX
-+.PP
+ .PP
+.B ftpd_keytab_t
+.EE
-+
+
+-selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
+- Set files with the ftpd_keytab_t type, if you want to treat the files as kerberos keytab files.
+
+
@@ -25844,27 +27801,9 @@ index 5bebd82..3e8fbe7 100644
+.EE
+udp 990
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ftpd:
-+
-+.EX
-+.B ftpd_t, ftpdctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -25998,6 +27937,22 @@ index 5bebd82..3e8fbe7 100644
+ /usr/libexec/webmin/vsftpd/webalizer/xfer_log
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ftpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -26013,13 +27968,11 @@ index 5bebd82..3e8fbe7 100644
+
+.B semanage boolean
+can also be used to manipulate the booleans
-
--.SH "SEE ALSO"
- .PP
++
++.PP
+.B system-config-selinux
+is a GUI tool available to customize SELinux policy settings.
-
--selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
++
+.SH AUTHOR
+This manual page was auto-generated by genman.py.
+
@@ -26029,19 +27982,46 @@ index 5bebd82..3e8fbe7 100644
\ No newline at end of file
diff --git a/man/man8/ftpdctl_selinux.8 b/man/man8/ftpdctl_selinux.8
new file mode 100644
-index 0000000..b71947a
+index 0000000..8d8bab4
--- /dev/null
+++ b/man/man8/ftpdctl_selinux.8
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,97 @@
+.TH "ftpdctl_selinux" "8" "ftpdctl" "dwalsh at redhat.com" "ftpdctl SELinux Policy documentation"
+.SH "NAME"
+ftpdctl_selinux \- Security Enhanced Linux Policy for the ftpdctl processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ftpdctl processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ftpdctl processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ftpdctl processes execute with the ftpdctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ftpdctl_t
++
++
++.SH "ENTRYPOINTS"
++
++The ftpdctl_t SELinux type can be entered via the "ftpdctl_exec_t" file type. The default entrypoint paths for the ftpdctl_t domain are the following:"
++
++/usr/bin/ftpdctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ftpdctl policy is very flexible allowing users to setup their ftpdctl processes in as secure a method as possible.
++.PP
++The following process types are defined for ftpdctl:
++
++.EX
++.B ftpdctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -26077,27 +28057,11 @@ index 0000000..b71947a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ftpdctl policy is very flexible allowing users to setup their ftpdctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ftpdctl:
-+
-+.EX
-+.B ftpdctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ftpdctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ftpdctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -26122,19 +28086,46 @@ index 0000000..b71947a
\ No newline at end of file
diff --git a/man/man8/games_selinux.8 b/man/man8/games_selinux.8
new file mode 100644
-index 0000000..44b9cda
+index 0000000..240f5c5
--- /dev/null
+++ b/man/man8/games_selinux.8
-@@ -0,0 +1,157 @@
+@@ -0,0 +1,184 @@
+.TH "games_selinux" "8" "games" "dwalsh at redhat.com" "games SELinux Policy documentation"
+.SH "NAME"
+games_selinux \- Security Enhanced Linux Policy for the games processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the games processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the games processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The games processes execute with the games_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep games_t
++
++
++.SH "ENTRYPOINTS"
++
++The games_t SELinux type can be entered via the "games_exec_t" file type. The default entrypoint paths for the games_t domain are the following:"
++
++/usr/bin/sol, /usr/bin/blackjack, /usr/bin/micq, /usr/bin/gnotski, /usr/bin/katomic, /usr/bin/kshisen, /usr/bin/klickety, /usr/bin/lskat, /usr/bin/atlantik, /usr/bin/ksame, /usr/bin/kgoldrunner, /usr/bin/lskatproc, /usr/bin/gataxx, /usr/bin/Maelstrom, /usr/bin/ksmiletris, /usr/bin/gnotravex, /usr/bin/ksirtet, /usr/bin/kbattleship, /usr/bin/ktuberling, /usr/bin/kenolaba, /usr/bin/kmahjongg, /usr/bin/ksnake, /usr/games/.*, /usr/bin/gnobots2, /usr/bin/civserver.*, /usr/bin/civclient.*, /usr/bin/kbounce, /usr/bin/kwin4, /usr/bin/ktron, /usr/bin/mahjongg, /usr/bin/kbackgammon, /usr/bin/kblackbox, /usr/bin/kjumpingcube, /usr/bin/gnomine, /usr/bin/gnect, /usr/bin/same-gnome, /usr/bin/kasteroids, /usr/bin/ksokoban, /usr/bin/kolf, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/kpoker, /usr/lib/games(/.*)?, /usr/bin/glines, /usr/bin/kfouleggs, /usr/bin/kmines, /usr/bin/gnibbles, /usr/bin/kspaceduel, /usr/bin/kpat, /usr/bin/iagno, /usr/bin/gtali, /usr/bin/klines, /usr/bin/kwin4proc, /
usr/bin/gnome-stones
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux games policy is very flexible allowing users to setup their games processes in as secure a method as possible.
++.PP
++The following process types are defined for games:
++
++.EX
++.B games_t, games_srv_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -26202,27 +28193,9 @@ index 0000000..44b9cda
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux games policy is very flexible allowing users to setup their games processes in as secure a method as possible.
-+.PP
-+The following process types are defined for games:
-+
-+.EX
-+.B games_t, games_srv_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type games_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type games_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B games_data_t
@@ -26255,6 +28228,18 @@ index 0000000..44b9cda
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_tmp_t
@@ -26263,6 +28248,12 @@ index 0000000..44b9cda
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -26285,19 +28276,46 @@ index 0000000..44b9cda
+selinux(8), games(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/gconfd_selinux.8 b/man/man8/gconfd_selinux.8
new file mode 100644
-index 0000000..c432ad7
+index 0000000..6b42a6f
--- /dev/null
+++ b/man/man8/gconfd_selinux.8
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,127 @@
+.TH "gconfd_selinux" "8" "gconfd" "dwalsh at redhat.com" "gconfd SELinux Policy documentation"
+.SH "NAME"
+gconfd_selinux \- Security Enhanced Linux Policy for the gconfd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gconfd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gconfd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The gconfd processes execute with the gconfd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gconfd_t
++
++
++.SH "ENTRYPOINTS"
++
++The gconfd_t SELinux type can be entered via the "gconfd_exec_t" file type. The default entrypoint paths for the gconfd_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gconfd policy is very flexible allowing users to setup their gconfd processes in as secure a method as possible.
++.PP
++The following process types are defined for gconfd:
++
++.EX
++.B gconfdefaultsm_t, gconfd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -26333,27 +28351,9 @@ index 0000000..c432ad7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gconfd policy is very flexible allowing users to setup their gconfd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gconfd:
-+
-+.EX
-+.B gconfdefaultsm_t, gconfd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type gconfd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type gconfd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B gconf_home_t
@@ -26366,12 +28366,26 @@ index 0000000..c432ad7
+.br
+ /home/[^/]*/\.gconf(d)?(/.*)?
+.br
++ /home/dwalsh/\.local.*
++.br
++ /home/dwalsh/\.gconf(d)?(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local.*
++.br
++ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
++.br
+
+.br
+.B gconf_tmp_t
+
+ /tmp/gconfd-.*/.*
+.br
++ /tmp/gconfd-dwalsh/.*
++.br
++ /tmp/gconfd-xguest/.*
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -26396,19 +28410,46 @@ index 0000000..c432ad7
\ No newline at end of file
diff --git a/man/man8/gconfdefaultsm_selinux.8 b/man/man8/gconfdefaultsm_selinux.8
new file mode 100644
-index 0000000..7e9e962
+index 0000000..c6ef666
--- /dev/null
+++ b/man/man8/gconfdefaultsm_selinux.8
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,115 @@
+.TH "gconfdefaultsm_selinux" "8" "gconfdefaultsm" "dwalsh at redhat.com" "gconfdefaultsm SELinux Policy documentation"
+.SH "NAME"
+gconfdefaultsm_selinux \- Security Enhanced Linux Policy for the gconfdefaultsm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gconfdefaultsm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gconfdefaultsm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The gconfdefaultsm processes execute with the gconfdefaultsm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gconfdefaultsm_t
++
++
++.SH "ENTRYPOINTS"
++
++The gconfdefaultsm_t SELinux type can be entered via the "gconfdefaultsm_exec_t" file type. The default entrypoint paths for the gconfdefaultsm_t domain are the following:"
++
++/usr/libexec/gconf-defaults-mechanism
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gconfdefaultsm policy is very flexible allowing users to setup their gconfdefaultsm processes in as secure a method as possible.
++.PP
++The following process types are defined for gconfdefaultsm:
++
++.EX
++.B gconfdefaultsm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -26436,27 +28477,9 @@ index 0000000..7e9e962
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gconfdefaultsm policy is very flexible allowing users to setup their gconfdefaultsm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gconfdefaultsm:
-+
-+.EX
-+.B gconfdefaultsm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type gconfdefaultsm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type gconfdefaultsm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B gconf_etc_t
@@ -26475,6 +28498,16 @@ index 0000000..7e9e962
+.br
+ /home/[^/]*/\.gconf(d)?(/.*)?
+.br
++ /home/dwalsh/\.local.*
++.br
++ /home/dwalsh/\.gconf(d)?(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local.*
++.br
++ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -26499,33 +28532,46 @@ index 0000000..7e9e962
\ No newline at end of file
diff --git a/man/man8/getty_selinux.8 b/man/man8/getty_selinux.8
new file mode 100644
-index 0000000..5405406
+index 0000000..23e2581
--- /dev/null
+++ b/man/man8/getty_selinux.8
-@@ -0,0 +1,203 @@
+@@ -0,0 +1,222 @@
+.TH "getty_selinux" "8" "getty" "dwalsh at redhat.com" "getty SELinux Policy documentation"
+.SH "NAME"
+getty_selinux \- Security Enhanced Linux Policy for the getty processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the getty processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the getty processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The getty processes execute with the getty_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the getty_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep getty_t
++
++
++.SH "ENTRYPOINTS"
++
++The getty_t SELinux type can be entered via the "getty_exec_t" file type. The default entrypoint paths for the getty_t domain are the following:"
+
++/usr/sbin/.*getty, /sbin/.*getty
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the getty_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux getty policy is very flexible allowing users to setup their getty processes in as secure a method as possible.
++.PP
++The following process types are defined for getty:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B getty_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -26588,6 +28634,14 @@ index 0000000..5405406
+
+.EX
+.PP
++.B getty_unit_file_t
++.EE
++
++- Set files with the getty_unit_file_t type, if you want to treat the files as getty unit content.
++
++
++.EX
++.PP
+.B getty_var_run_t
+.EE
+
@@ -26605,27 +28659,9 @@ index 0000000..5405406
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux getty policy is very flexible allowing users to setup their getty processes in as secure a method as possible.
-+.PP
-+The following process types are defined for getty:
-+
-+.EX
-+.B getty_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type getty_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type getty_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B getty_lock_t
@@ -26687,6 +28723,22 @@ index 0000000..5405406
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the getty_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the getty_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -26708,33 +28760,46 @@ index 0000000..5405406
+selinux(8), getty(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/gfs_controld_selinux.8 b/man/man8/gfs_controld_selinux.8
new file mode 100644
-index 0000000..726f3fb
+index 0000000..7e96a9f
--- /dev/null
+++ b/man/man8/gfs_controld_selinux.8
-@@ -0,0 +1,147 @@
+@@ -0,0 +1,158 @@
+.TH "gfs_controld_selinux" "8" "gfs_controld" "dwalsh at redhat.com" "gfs_controld SELinux Policy documentation"
+.SH "NAME"
+gfs_controld_selinux \- Security Enhanced Linux Policy for the gfs_controld processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gfs_controld processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gfs_controld processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The gfs_controld processes execute with the gfs_controld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gfs_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep gfs_controld_t
++
++
++.SH "ENTRYPOINTS"
+
++The gfs_controld_t SELinux type can be entered via the "gfs_controld_exec_t" file type. The default entrypoint paths for the gfs_controld_t domain are the following:"
++
++/usr/sbin/gfs_controld
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the gfs_controld_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gfs_controld policy is very flexible allowing users to setup their gfs_controld processes in as secure a method as possible.
++.PP
++The following process types are defined for gfs_controld:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B gfs_controld_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -26786,27 +28851,9 @@ index 0000000..726f3fb
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gfs_controld policy is very flexible allowing users to setup their gfs_controld processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gfs_controld:
-+
-+.EX
-+.B gfs_controld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type gfs_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type gfs_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cluster_var_lib_t
@@ -26840,6 +28887,22 @@ index 0000000..726f3fb
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gfs_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gfs_controld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -26976,10 +29039,10 @@ index e9c43b1..0000000
-selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
diff --git a/man/man8/git_shell_selinux.8 b/man/man8/git_shell_selinux.8
new file mode 100644
-index 0000000..2b3cae6
+index 0000000..f754f4a
--- /dev/null
+++ b/man/man8/git_shell_selinux.8
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,131 @@
+.TH "git_shell_selinux" "8" "git_shell" "mgrepl at redhat.com" "git_shell SELinux Policy documentation"
+.SH "NAME"
+git_shell_u \- \fBgit_shell user role\fP - Security Enhanced Linux Policy
@@ -27029,19 +29092,19 @@ index 0000000..2b3cae6
+
+.B dns_port_t: 53
+
-+.B kerberos_port_t: 88,750,4444
-+
+.B ocsp_port_t: 9080
+
++.B kerberos_port_t: 88,750,4444
++
+.TP
+The SELinux user git_shell_u is able to connect to the following tcp ports.
+
+.B dns_port_t: 53
+
-+.B kerberos_port_t: 88,750,4444
-+
+.B ocsp_port_t: 9080
+
++.B kerberos_port_t: 88,750,4444
++
+.SH HOME_EXEC
+
+The SELinux user git_shell_u is able execute home content files.
@@ -27071,13 +29134,17 @@ index 0000000..2b3cae6
+
+.SH "MANAGED FILES"
+
-+The SELinux user type git_shell_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type git_shell_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B alsa_home_t
+
+ /home/[^/]*/\.asoundrc
+.br
++ /home/dwalsh/\.asoundrc
++.br
++ /var/lib/xguest/home/xguest/\.asoundrc
++.br
+
+.br
+.B git_sys_content_t
@@ -27106,19 +29173,50 @@ index 0000000..2b3cae6
+
+.SH "SEE ALSO"
+selinux(8), git_shell(8), semanage(8), restorecon(8), chcon(1)
++, gitosis_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/gitosis_selinux.8 b/man/man8/gitosis_selinux.8
new file mode 100644
-index 0000000..b57e8dd
+index 0000000..06ffd25
--- /dev/null
+++ b/man/man8/gitosis_selinux.8
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,127 @@
+.TH "gitosis_selinux" "8" "gitosis" "dwalsh at redhat.com" "gitosis SELinux Policy documentation"
+.SH "NAME"
+gitosis_selinux \- Security Enhanced Linux Policy for the gitosis processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gitosis processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gitosis processes via flexible mandatory access control.
++
++The gitosis processes execute with the gitosis_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gitosis_t
++
++
++.SH "ENTRYPOINTS"
++
++The gitosis_t SELinux type can be entered via the "gitosis_exec_t" file type. The default entrypoint paths for the gitosis_t domain are the following:"
++
++/usr/bin/gitosis-serve, /usr/bin/gl-auth-command
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gitosis policy is very flexible allowing users to setup their gitosis processes in as secure a method as possible.
++.PP
++The following process types are defined for gitosis:
++
++.EX
++.B gitosis_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. gitosis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gitosis with the tightest access possible.
@@ -27131,8 +29229,6 @@ index 0000000..b57e8dd
+.B setsebool -P gitosis_can_sendmail 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -27175,27 +29271,9 @@ index 0000000..b57e8dd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gitosis policy is very flexible allowing users to setup their gitosis processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gitosis:
-+
-+.EX
-+.B gitosis_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type gitosis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type gitosis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B gitosis_var_lib_t
@@ -27205,6 +29283,8 @@ index 0000000..b57e8dd
+ /var/lib/gitolite(3)?(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -27231,19 +29311,46 @@ index 0000000..b57e8dd
\ No newline at end of file
diff --git a/man/man8/glance_api_selinux.8 b/man/man8/glance_api_selinux.8
new file mode 100644
-index 0000000..f6bae20
+index 0000000..44a9301
--- /dev/null
+++ b/man/man8/glance_api_selinux.8
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,119 @@
+.TH "glance_api_selinux" "8" "glance_api" "dwalsh at redhat.com" "glance_api SELinux Policy documentation"
+.SH "NAME"
+glance_api_selinux \- Security Enhanced Linux Policy for the glance_api processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the glance_api processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the glance_api processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The glance_api processes execute with the glance_api_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep glance_api_t
++
++
++.SH "ENTRYPOINTS"
++
++The glance_api_t SELinux type can be entered via the "glance_api_exec_t" file type. The default entrypoint paths for the glance_api_t domain are the following:"
++
++/usr/bin/glance-api
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux glance_api policy is very flexible allowing users to setup their glance_api processes in as secure a method as possible.
++.PP
++The following process types are defined for glance_api:
++
++.EX
++.B glance_api_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -27279,27 +29386,9 @@ index 0000000..f6bae20
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux glance_api policy is very flexible allowing users to setup their glance_api processes in as secure a method as possible.
-+.PP
-+The following process types are defined for glance_api:
-+
-+.EX
-+.B glance_api_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type glance_api_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type glance_api_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B glance_log_t
@@ -27323,6 +29412,8 @@ index 0000000..f6bae20
+ /var/run/glance(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -27342,21 +29433,50 @@ index 0000000..f6bae20
+
+.SH "SEE ALSO"
+selinux(8), glance_api(8), semanage(8), restorecon(8), chcon(1)
++, glance_registry_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/glance_registry_selinux.8 b/man/man8/glance_registry_selinux.8
new file mode 100644
-index 0000000..d3691be
+index 0000000..6d1548f
--- /dev/null
+++ b/man/man8/glance_registry_selinux.8
-@@ -0,0 +1,143 @@
+@@ -0,0 +1,155 @@
+.TH "glance_registry_selinux" "8" "glance_registry" "dwalsh at redhat.com" "glance_registry SELinux Policy documentation"
+.SH "NAME"
+glance_registry_selinux \- Security Enhanced Linux Policy for the glance_registry processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the glance_registry processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the glance_registry processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The glance_registry processes execute with the glance_registry_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep glance_registry_t
++
++
++.SH "ENTRYPOINTS"
++
++The glance_registry_t SELinux type can be entered via the "glance_registry_exec_t" file type. The default entrypoint paths for the glance_registry_t domain are the following:"
++
++/usr/bin/glance-registry
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux glance_registry policy is very flexible allowing users to setup their glance_registry processes in as secure a method as possible.
++.PP
++The following process types are defined for glance_registry:
++
++.EX
++.B glance_registry_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -27425,27 +29545,9 @@ index 0000000..d3691be
+.EE
+udp 9191
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux glance_registry policy is very flexible allowing users to setup their glance_registry processes in as secure a method as possible.
-+.PP
-+The following process types are defined for glance_registry:
-+
-+.EX
-+.B glance_registry_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type glance_registry_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type glance_registry_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B glance_log_t
@@ -27469,6 +29571,8 @@ index 0000000..d3691be
+ /var/run/glance(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -27491,35 +29595,50 @@ index 0000000..d3691be
+
+.SH "SEE ALSO"
+selinux(8), glance_registry(8), semanage(8), restorecon(8), chcon(1)
++, glance_api_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/glusterd_selinux.8 b/man/man8/glusterd_selinux.8
new file mode 100644
-index 0000000..5736fca
+index 0000000..e3df9df
--- /dev/null
+++ b/man/man8/glusterd_selinux.8
-@@ -0,0 +1,185 @@
+@@ -0,0 +1,196 @@
+.TH "glusterd_selinux" "8" "glusterd" "dwalsh at redhat.com" "glusterd SELinux Policy documentation"
+.SH "NAME"
+glusterd_selinux \- Security Enhanced Linux Policy for the glusterd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the glusterd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the glusterd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The glusterd processes execute with the glusterd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the glusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep glusterd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The glusterd_t SELinux type can be entered via the "glusterd_exec_t" file type. The default entrypoint paths for the glusterd_t domain are the following:"
++
++/opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/sbin/glusterfsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the glusterd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux glusterd policy is very flexible allowing users to setup their glusterd processes in as secure a method as possible.
++.PP
++The following process types are defined for glusterd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B glusterd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -27611,27 +29730,9 @@ index 0000000..5736fca
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux glusterd policy is very flexible allowing users to setup their glusterd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for glusterd:
-+
-+.EX
-+.B glusterd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type glusterd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type glusterd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B glusterd_etc_t
@@ -27663,6 +29764,22 @@ index 0000000..5736fca
+ /var/run/glusterd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the glusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the glusterd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -27684,33 +29801,46 @@ index 0000000..5736fca
+selinux(8), glusterd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/gnomeclock_selinux.8 b/man/man8/gnomeclock_selinux.8
new file mode 100644
-index 0000000..2de4518
+index 0000000..34c1785
--- /dev/null
+++ b/man/man8/gnomeclock_selinux.8
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,146 @@
+.TH "gnomeclock_selinux" "8" "gnomeclock" "dwalsh at redhat.com" "gnomeclock SELinux Policy documentation"
+.SH "NAME"
+gnomeclock_selinux \- Security Enhanced Linux Policy for the gnomeclock processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gnomeclock processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gnomeclock processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The gnomeclock processes execute with the gnomeclock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gnomeclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep gnomeclock_t
++
++
++.SH "ENTRYPOINTS"
+
++The gnomeclock_t SELinux type can be entered via the "gnomeclock_exec_t" file type. The default entrypoint paths for the gnomeclock_t domain are the following:"
++
++/usr/libexec/gsd-datetime-mechanism, /usr/libexec/kde(3|4)/kcmdatetimehelper, /usr/libexec/gnome-clock-applet-mechanism
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the gnomeclock_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible.
++.PP
++The following process types are defined for gnomeclock:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B gnomeclock_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -27742,27 +29872,9 @@ index 0000000..2de4518
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gnomeclock:
-+
-+.EX
-+.B gnomeclock_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type gnomeclock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type gnomeclock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B config_usr_t
@@ -27804,6 +29916,22 @@ index 0000000..2de4518
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gnomeclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gnomeclock_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -27825,19 +29953,46 @@ index 0000000..2de4518
+selinux(8), gnomeclock(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/gnomesystemmm_selinux.8 b/man/man8/gnomesystemmm_selinux.8
new file mode 100644
-index 0000000..ed23212
+index 0000000..ca0b640
--- /dev/null
+++ b/man/man8/gnomesystemmm_selinux.8
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,98 @@
+.TH "gnomesystemmm_selinux" "8" "gnomesystemmm" "dwalsh at redhat.com" "gnomesystemmm SELinux Policy documentation"
+.SH "NAME"
+gnomesystemmm_selinux \- Security Enhanced Linux Policy for the gnomesystemmm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gnomesystemmm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gnomesystemmm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The gnomesystemmm processes execute with the gnomesystemmm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gnomesystemmm_t
++
++
++.SH "ENTRYPOINTS"
++
++The gnomesystemmm_t SELinux type can be entered via the "gnomesystemmm_exec_t" file type. The default entrypoint paths for the gnomesystemmm_t domain are the following:"
++
++/usr/libexec/kde(3|4)/ksysguardprocesslist_helper, /usr/libexec/gnome-system-monitor-mechanism
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gnomesystemmm policy is very flexible allowing users to setup their gnomesystemmm processes in as secure a method as possible.
++.PP
++The following process types are defined for gnomesystemmm:
++
++.EX
++.B gnomesystemmm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -27869,27 +30024,9 @@ index 0000000..ed23212
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gnomesystemmm policy is very flexible allowing users to setup their gnomesystemmm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gnomesystemmm:
-+
-+.EX
-+.B gnomesystemmm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type gnomesystemmm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type gnomesystemmm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B config_usr_t
@@ -27897,6 +30034,8 @@ index 0000000..ed23212
+ /usr/share/config(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -27918,17 +30057,46 @@ index 0000000..ed23212
+selinux(8), gnomesystemmm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/gpg_agent_selinux.8 b/man/man8/gpg_agent_selinux.8
new file mode 100644
-index 0000000..199ce8e
+index 0000000..ecc47ea
--- /dev/null
+++ b/man/man8/gpg_agent_selinux.8
-@@ -0,0 +1,114 @@
+@@ -0,0 +1,133 @@
+.TH "gpg_agent_selinux" "8" "gpg_agent" "dwalsh at redhat.com" "gpg_agent SELinux Policy documentation"
+.SH "NAME"
+gpg_agent_selinux \- Security Enhanced Linux Policy for the gpg_agent processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gpg_agent processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gpg_agent processes via flexible mandatory access control.
++
++The gpg_agent processes execute with the gpg_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gpg_agent_t
++
++
++.SH "ENTRYPOINTS"
++
++The gpg_agent_t SELinux type can be entered via the "gpg_agent_exec_t" file type. The default entrypoint paths for the gpg_agent_t domain are the following:"
++
++/usr/bin/gpg-agent
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpg_agent policy is very flexible allowing users to setup their gpg_agent processes in as secure a method as possible.
++.PP
++The following process types are defined for gpg_agent:
++
++.EX
++.B gpg_agent_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. gpg_agent policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg_agent with the tightest access possible.
@@ -27941,8 +30109,6 @@ index 0000000..199ce8e
+.B setsebool -P gpg_agent_env_file 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -27977,33 +30143,19 @@ index 0000000..199ce8e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gpg_agent policy is very flexible allowing users to setup their gpg_agent processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gpg_agent:
-+
-+.EX
-+.B gpg_agent_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type gpg_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type gpg_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B gpg_agent_tmp_t
+
+ /home/[^/]*/\.gnupg/log-socket
+.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
+
+.br
+.B gpg_secret_t
@@ -28012,6 +30164,12 @@ index 0000000..199ce8e
+.br
+ /home/[^/]*/\.gnupg(/.+)?
+.br
++ /home/dwalsh/\.gnupg(/.+)?
++.br
++ /var/lib/xguest/home/xguest/\.gnupg(/.+)?
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -28035,37 +30193,50 @@ index 0000000..199ce8e
+
+.SH "SEE ALSO"
+selinux(8), gpg_agent(8), semanage(8), restorecon(8), chcon(1)
-+, setsebool(8), gpg_selinux(8)
++, setsebool(8), gpg_selinux(8), gpg_selinux(8), gpg_helper_selinux(8)
\ No newline at end of file
diff --git a/man/man8/gpg_helper_selinux.8 b/man/man8/gpg_helper_selinux.8
new file mode 100644
-index 0000000..9491991
+index 0000000..4a56957
--- /dev/null
+++ b/man/man8/gpg_helper_selinux.8
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,103 @@
+.TH "gpg_helper_selinux" "8" "gpg_helper" "dwalsh at redhat.com" "gpg_helper SELinux Policy documentation"
+.SH "NAME"
+gpg_helper_selinux \- Security Enhanced Linux Policy for the gpg_helper processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gpg_helper processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gpg_helper processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The gpg_helper processes execute with the gpg_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpg_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep gpg_helper_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The gpg_helper_t SELinux type can be entered via the "gpg_helper_exec_t" file type. The default entrypoint paths for the gpg_helper_t domain are the following:"
++
++/usr/lib/gnupg/gpgkeys.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the gpg_helper_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpg_helper policy is very flexible allowing users to setup their gpg_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for gpg_helper:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B gpg_helper_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -28093,27 +30264,25 @@ index 0000000..9491991
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type gpg_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gpg_helper policy is very flexible allowing users to setup their gpg_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gpg_helper:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpg_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B gpg_helper_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the gpg_helper_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type gpg_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -28134,54 +30303,67 @@ index 0000000..9491991
+
+.SH "SEE ALSO"
+selinux(8), gpg_helper(8), semanage(8), restorecon(8), chcon(1)
-+, gpg_selinux(8)
++, gpg_selinux(8), gpg_selinux(8), gpg_agent_selinux(8)
\ No newline at end of file
diff --git a/man/man8/gpg_selinux.8 b/man/man8/gpg_selinux.8
new file mode 100644
-index 0000000..3a25152
+index 0000000..da9ab8b
--- /dev/null
+++ b/man/man8/gpg_selinux.8
-@@ -0,0 +1,257 @@
+@@ -0,0 +1,340 @@
+.TH "gpg_selinux" "8" "gpg" "dwalsh at redhat.com" "gpg SELinux Policy documentation"
+.SH "NAME"
+gpg_selinux \- Security Enhanced Linux Policy for the gpg processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gpg processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gpg processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. gpg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg with the tightest access possible.
++The gpg processes execute with the gpg_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean.
++.B ps -eZ | grep gpg_t
+
-+.EX
-+.B setsebool -P gpg_agent_env_file 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The gpg_t SELinux type can be entered via the "gpg_exec_t" file type. The default entrypoint paths for the gpg_t domain are the following:"
++
++/usr/bin/gpgsm, /usr/bin/gpg(2)?, /usr/bin/kgpg, /usr/lib/gnupg/.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpg policy is very flexible allowing users to setup their gpg processes in as secure a method as possible.
++.PP
++The following process types are defined for gpg:
+
+.EX
-+.B setsebool -P httpd_use_gpg 1
++.B gpg_t, gpg_pinentry_t, gpg_helper_t, gpg_web_t, gpg_agent_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. gpg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P gpg_agent_env_file 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the kerberos_enabled boolean.
++If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P httpd_use_gpg 1
+.EE
+
+.SH SHARING FILES
@@ -28288,27 +30470,9 @@ index 0000000..3a25152
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gpg policy is very flexible allowing users to setup their gpg processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gpg:
-+
-+.EX
-+.B gpg_t, gpg_pinentry_t, gpg_helper_t, gpg_web_t, gpg_agent_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type gpg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type gpg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_mail_t
@@ -28321,6 +30485,10 @@ index 0000000..3a25152
+
+ /home/[^/]*/\.gnupg/log-socket
+.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
+
+.br
+.B gpg_secret_t
@@ -28329,6 +30497,10 @@ index 0000000..3a25152
+.br
+ /home/[^/]*/\.gnupg(/.+)?
+.br
++ /home/dwalsh/\.gnupg(/.+)?
++.br
++ /var/lib/xguest/home/xguest/\.gnupg(/.+)?
++.br
+
+.br
+.B mozilla_home_t
@@ -28363,12 +30535,76 @@ index 0000000..3a25152
+.br
+ /home/[^/]*/\.config/chromium(/.*)?
+.br
++ /home/dwalsh/\.java(/.*)?
++.br
++ /home/dwalsh/\.adobe(/.*)?
++.br
++ /home/dwalsh/\.gnash(/.*)?
++.br
++ /home/dwalsh/\.galeon(/.*)?
++.br
++ /home/dwalsh/\.spicec(/.*)?
++.br
++ /home/dwalsh/\.mozilla(/.*)?
++.br
++ /home/dwalsh/\.phoenix(/.*)?
++.br
++ /home/dwalsh/\.netscape(/.*)?
++.br
++ /home/dwalsh/\.ICAClient(/.*)?
++.br
++ /home/dwalsh/\.macromedia(/.*)?
++.br
++ /home/dwalsh/\.thunderbird(/.*)?
++.br
++ /home/dwalsh/\.gcjwebplugin(/.*)?
++.br
++ /home/dwalsh/\.icedteaplugin(/.*)?
++.br
++ /home/dwalsh/zimbrauserdata(/.*)?
++.br
++ /home/dwalsh/\.config/chromium(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.java(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.adobe(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gnash(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.galeon(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spicec(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.netscape(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
++.br
+
+.br
+.B user_home_t
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
+
+.br
+.B user_tmp_type
@@ -28376,6 +30612,22 @@ index 0000000..3a25152
+ all user tmp files
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -28402,19 +30654,46 @@ index 0000000..3a25152
\ No newline at end of file
diff --git a/man/man8/gpm_selinux.8 b/man/man8/gpm_selinux.8
new file mode 100644
-index 0000000..555205c
+index 0000000..e986c69
--- /dev/null
+++ b/man/man8/gpm_selinux.8
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,132 @@
+.TH "gpm_selinux" "8" "gpm" "dwalsh at redhat.com" "gpm SELinux Policy documentation"
+.SH "NAME"
+gpm_selinux \- Security Enhanced Linux Policy for the gpm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gpm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gpm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The gpm processes execute with the gpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep gpm_t
++
++
++.SH "ENTRYPOINTS"
++
++The gpm_t SELinux type can be entered via the "gpm_exec_t" file type. The default entrypoint paths for the gpm_t domain are the following:"
++
++/usr/sbin/gpm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpm policy is very flexible allowing users to setup their gpm processes in as secure a method as possible.
++.PP
++The following process types are defined for gpm:
++
++.EX
++.B gpm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -28478,27 +30757,9 @@ index 0000000..555205c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gpm policy is very flexible allowing users to setup their gpm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gpm:
-+
-+.EX
-+.B gpm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type gpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type gpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B gpm_tmp_t
@@ -28508,6 +30769,8 @@ index 0000000..555205c
+.B gpm_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -28529,33 +30792,46 @@ index 0000000..555205c
+selinux(8), gpm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/gpsd_selinux.8 b/man/man8/gpsd_selinux.8
new file mode 100644
-index 0000000..793fb68
+index 0000000..58ebccb
--- /dev/null
+++ b/man/man8/gpsd_selinux.8
-@@ -0,0 +1,165 @@
+@@ -0,0 +1,176 @@
+.TH "gpsd_selinux" "8" "gpsd" "dwalsh at redhat.com" "gpsd SELinux Policy documentation"
+.SH "NAME"
+gpsd_selinux \- Security Enhanced Linux Policy for the gpsd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gpsd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gpsd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The gpsd processes execute with the gpsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep gpsd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The gpsd_t SELinux type can be entered via the "gpsd_exec_t" file type. The default entrypoint paths for the gpsd_t domain are the following:"
++
++/usr/sbin/gpsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the gpsd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible.
++.PP
++The following process types are defined for gpsd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B gpsd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -28634,27 +30910,9 @@ index 0000000..793fb68
+Default Defined Ports:
+tcp 2947
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gpsd:
-+
-+.EX
-+.B gpsd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type gpsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type gpsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B chronyd_tmpfs_t
@@ -28676,6 +30934,22 @@ index 0000000..793fb68
+.B ntpd_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gpsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -28700,33 +30974,46 @@ index 0000000..793fb68
+selinux(8), gpsd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/greylist_milter_selinux.8 b/man/man8/greylist_milter_selinux.8
new file mode 100644
-index 0000000..5307f1e
+index 0000000..002f3ac
--- /dev/null
+++ b/man/man8/greylist_milter_selinux.8
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,132 @@
+.TH "greylist_milter_selinux" "8" "greylist_milter" "dwalsh at redhat.com" "greylist_milter SELinux Policy documentation"
+.SH "NAME"
+greylist_milter_selinux \- Security Enhanced Linux Policy for the greylist_milter processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the greylist_milter processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the greylist_milter processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The greylist_milter processes execute with the greylist_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the greylist_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep greylist_milter_t
++
++
++.SH "ENTRYPOINTS"
+
++The greylist_milter_t SELinux type can be entered via the "greylist_milter_exec_t" file type. The default entrypoint paths for the greylist_milter_t domain are the following:"
++
++/usr/sbin/sqlgrey, /usr/sbin/milter-greylist
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the greylist_milter_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux greylist_milter policy is very flexible allowing users to setup their greylist_milter processes in as secure a method as possible.
++.PP
++The following process types are defined for greylist_milter:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B greylist_milter_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -28770,27 +31057,9 @@ index 0000000..5307f1e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux greylist_milter policy is very flexible allowing users to setup their greylist_milter processes in as secure a method as possible.
-+.PP
-+The following process types are defined for greylist_milter:
-+
-+.EX
-+.B greylist_milter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type greylist_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type greylist_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B greylist_milter_data_t
@@ -28806,6 +31075,22 @@ index 0000000..5307f1e
+ /var/run/milter-greylist\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the greylist_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the greylist_milter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -28827,33 +31112,46 @@ index 0000000..5307f1e
+selinux(8), greylist_milter(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/groupadd_selinux.8 b/man/man8/groupadd_selinux.8
new file mode 100644
-index 0000000..06a77c4
+index 0000000..d5691cf
--- /dev/null
+++ b/man/man8/groupadd_selinux.8
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,178 @@
+.TH "groupadd_selinux" "8" "groupadd" "dwalsh at redhat.com" "groupadd SELinux Policy documentation"
+.SH "NAME"
+groupadd_selinux \- Security Enhanced Linux Policy for the groupadd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the groupadd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the groupadd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The groupadd processes execute with the groupadd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep groupadd_t
++
++
++.SH "ENTRYPOINTS"
++
++The groupadd_t SELinux type can be entered via the "groupadd_exec_t" file type. The default entrypoint paths for the groupadd_t domain are the following:"
+
++/usr/sbin/gpasswd, /usr/bin/gpasswd, /usr/sbin/groupdel, /usr/sbin/groupadd, /usr/sbin/groupmod
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the groupadd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux groupadd policy is very flexible allowing users to setup their groupadd processes in as secure a method as possible.
++.PP
++The following process types are defined for groupadd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B groupadd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -28885,27 +31183,9 @@ index 0000000..06a77c4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux groupadd policy is very flexible allowing users to setup their groupadd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for groupadd:
-+
-+.EX
-+.B groupadd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type groupadd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type groupadd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -28979,6 +31259,22 @@ index 0000000..06a77c4
+ /etc/security/opasswd\.old
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the groupadd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -29000,33 +31296,46 @@ index 0000000..06a77c4
+selinux(8), groupadd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/groupd_selinux.8 b/man/man8/groupd_selinux.8
new file mode 100644
-index 0000000..cf1f8f5
+index 0000000..cb7aca9
--- /dev/null
+++ b/man/man8/groupd_selinux.8
-@@ -0,0 +1,140 @@
+@@ -0,0 +1,151 @@
+.TH "groupd_selinux" "8" "groupd" "dwalsh at redhat.com" "groupd SELinux Policy documentation"
+.SH "NAME"
+groupd_selinux \- Security Enhanced Linux Policy for the groupd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the groupd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the groupd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The groupd processes execute with the groupd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupd_t, groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep groupd_t
++
++
++.SH "ENTRYPOINTS"
++
++The groupd_t SELinux type can be entered via the "groupd_exec_t" file type. The default entrypoint paths for the groupd_t domain are the following:"
+
++/usr/sbin/groupd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the groupd_t, groupadd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux groupd policy is very flexible allowing users to setup their groupd processes in as secure a method as possible.
++.PP
++The following process types are defined for groupd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B groupadd_t, groupd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -29078,27 +31387,9 @@ index 0000000..cf1f8f5
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux groupd policy is very flexible allowing users to setup their groupd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for groupd:
-+
-+.EX
-+.B groupadd_t, groupd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type groupd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type groupd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cluster_var_lib_t
@@ -29124,6 +31415,22 @@ index 0000000..cf1f8f5
+.B initrc_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupd_t, groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the groupd_t, groupadd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -29147,43 +31454,56 @@ index 0000000..cf1f8f5
\ No newline at end of file
diff --git a/man/man8/gssd_selinux.8 b/man/man8/gssd_selinux.8
new file mode 100644
-index 0000000..7cb2a9a
+index 0000000..fa509f9
--- /dev/null
+++ b/man/man8/gssd_selinux.8
-@@ -0,0 +1,182 @@
+@@ -0,0 +1,197 @@
+.TH "gssd_selinux" "8" "gssd" "dwalsh at redhat.com" "gssd SELinux Policy documentation"
+.SH "NAME"
+gssd_selinux \- Security Enhanced Linux Policy for the gssd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the gssd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the gssd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. gssd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gssd with the tightest access possible.
++The gssd processes execute with the gssd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean.
++.B ps -eZ | grep gssd_t
+
-+.EX
-+.B setsebool -P gssd_read_tmp 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The gssd_t SELinux type can be entered via the "gssd_exec_t" file type. The default entrypoint paths for the gssd_t domain are the following:"
+
++/usr/sbin/rpc\.gssd, /usr/sbin/rpc\.svcgssd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux gssd policy is very flexible allowing users to setup their gssd processes in as secure a method as possible.
++.PP
++The following process types are defined for gssd:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B gssd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. gssd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gssd with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the gssd_t, you must turn on the kerberos_enabled boolean.
++If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P gssd_read_tmp 1
+.EE
+
+.SH FILE CONTEXTS
@@ -29232,27 +31552,9 @@ index 0000000..7cb2a9a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux gssd policy is very flexible allowing users to setup their gssd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for gssd:
-+
-+.EX
-+.B gssd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type gssd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type gssd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auth_cache_t
@@ -29293,6 +31595,10 @@ index 0000000..7cb2a9a
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
+
+.br
+.B var_lib_nfs_t
@@ -29310,6 +31616,22 @@ index 0000000..7cb2a9a
+ /tmp/\.X0-lock
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gssd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -29336,10 +31658,10 @@ index 0000000..7cb2a9a
\ No newline at end of file
diff --git a/man/man8/guest_selinux.8 b/man/man8/guest_selinux.8
new file mode 100644
-index 0000000..633fb61
+index 0000000..28a3334
--- /dev/null
+++ b/man/man8/guest_selinux.8
-@@ -0,0 +1,202 @@
+@@ -0,0 +1,218 @@
+.TH "guest_selinux" "8" "guest" "mgrepl at redhat.com" "guest SELinux Policy documentation"
+.SH "NAME"
+guest_u \- \fBLeast privledge terminal user role\fP - Security Enhanced Linux Policy
@@ -29394,19 +31716,19 @@ index 0000000..633fb61
+
+.B dns_port_t: 53
+
-+.B kerberos_port_t: 88,750,4444
-+
+.B ocsp_port_t: 9080
+
++.B kerberos_port_t: 88,750,4444
++
+.TP
+The SELinux user guest_u is able to connect to the following tcp ports.
+
+.B dns_port_t: 53
+
-+.B kerberos_port_t: 88,750,4444
-+
+.B ocsp_port_t: 9080
+
++.B kerberos_port_t: 88,750,4444
++
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. guest policy is extremely flexible and has several booleans that allow you to manipulate the policy and run guest with the tightest access possible.
+
@@ -29461,7 +31783,7 @@ index 0000000..633fb61
+
+.SH "MANAGED FILES"
+
-+The SELinux user type guest_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type guest_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -29478,18 +31800,30 @@ index 0000000..633fb61
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
++.br
+
+.br
+.B httpd_user_htaccess_t
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
+
+.br
+.B httpd_user_ra_content_t
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
+
+.br
+.B httpd_user_rw_content_t
@@ -29500,6 +31834,10 @@ index 0000000..633fb61
+
+ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
+
+.br
+.B user_home_type
@@ -29545,19 +31883,46 @@ index 0000000..633fb61
\ No newline at end of file
diff --git a/man/man8/hddtemp_selinux.8 b/man/man8/hddtemp_selinux.8
new file mode 100644
-index 0000000..9785089
+index 0000000..40326e3
--- /dev/null
+++ b/man/man8/hddtemp_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,130 @@
+.TH "hddtemp_selinux" "8" "hddtemp" "dwalsh at redhat.com" "hddtemp SELinux Policy documentation"
+.SH "NAME"
+hddtemp_selinux \- Security Enhanced Linux Policy for the hddtemp processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the hddtemp processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the hddtemp processes via flexible mandatory access control.
++
++The hddtemp processes execute with the hddtemp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep hddtemp_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The hddtemp_t SELinux type can be entered via the "hddtemp_exec_t" file type. The default entrypoint paths for the hddtemp_t domain are the following:"
++
++/usr/sbin/hddtemp
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible.
++.PP
++The following process types are defined for hddtemp:
++
++.EX
++.B hddtemp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -29624,27 +31989,11 @@ index 0000000..9785089
+Default Defined Ports:
+tcp 7634
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for hddtemp:
-+
-+.EX
-+.B hddtemp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type hddtemp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type hddtemp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -29670,19 +32019,46 @@ index 0000000..9785089
+selinux(8), hddtemp(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/hostname_selinux.8 b/man/man8/hostname_selinux.8
new file mode 100644
-index 0000000..029b6a7
+index 0000000..9cc1a2f
--- /dev/null
+++ b/man/man8/hostname_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,92 @@
+.TH "hostname_selinux" "8" "hostname" "dwalsh at redhat.com" "hostname SELinux Policy documentation"
+.SH "NAME"
+hostname_selinux \- Security Enhanced Linux Policy for the hostname processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the hostname processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the hostname processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The hostname processes execute with the hostname_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep hostname_t
++
++
++.SH "ENTRYPOINTS"
++
++The hostname_t SELinux type can be entered via the "hostname_exec_t" file type. The default entrypoint paths for the hostname_t domain are the following:"
++
++/bin/hostname, /usr/bin/hostname
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hostname policy is very flexible allowing users to setup their hostname processes in as secure a method as possible.
++.PP
++The following process types are defined for hostname:
++
++.EX
++.B hostname_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -29714,27 +32090,11 @@ index 0000000..029b6a7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux hostname policy is very flexible allowing users to setup their hostname processes in as secure a method as possible.
-+.PP
-+The following process types are defined for hostname:
-+
-+.EX
-+.B hostname_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type hostname_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type hostname_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -29757,19 +32117,46 @@ index 0000000..029b6a7
+selinux(8), hostname(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/hplip_selinux.8 b/man/man8/hplip_selinux.8
new file mode 100644
-index 0000000..95fc55c
+index 0000000..ab19f6e
--- /dev/null
+++ b/man/man8/hplip_selinux.8
-@@ -0,0 +1,179 @@
+@@ -0,0 +1,190 @@
+.TH "hplip_selinux" "8" "hplip" "dwalsh at redhat.com" "hplip SELinux Policy documentation"
+.SH "NAME"
+hplip_selinux \- Security Enhanced Linux Policy for the hplip processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the hplip processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the hplip processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The hplip processes execute with the hplip_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep hplip_t
++
++
++.SH "ENTRYPOINTS"
++
++The hplip_t SELinux type can be entered via the "hplip_exec_t" file type. The default entrypoint paths for the hplip_t domain are the following:"
++
++/usr/bin/hpijs, /usr/share/hplip/.*\.py, /usr/sbin/hp-[^/]+, /usr/lib/cups/backend/hp.*, /usr/sbin/hpiod
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible.
++.PP
++The following process types are defined for hplip:
++
++.EX
++.B hplip_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -29860,27 +32247,9 @@ index 0000000..95fc55c
+Default Defined Ports:
+tcp 1782,2207,2208,8290,50000,50002,8292,9100,9101,9102,9220,9221,9222,9280,9281,9282,9290,9291
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible.
-+.PP
-+The following process types are defined for hplip:
-+
-+.EX
-+.B hplip_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type hplip_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type hplip_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -29918,6 +32287,8 @@ index 0000000..95fc55c
+.B usbfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -29942,19 +32313,46 @@ index 0000000..95fc55c
+selinux(8), hplip(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/httpd_apcupsd_cgi_script_selinux.8 b/man/man8/httpd_apcupsd_cgi_script_selinux.8
new file mode 100644
-index 0000000..45a6ae2
+index 0000000..576c4ca
--- /dev/null
+++ b/man/man8/httpd_apcupsd_cgi_script_selinux.8
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,97 @@
+.TH "httpd_apcupsd_cgi_script_selinux" "8" "httpd_apcupsd_cgi_script" "dwalsh at redhat.com" "httpd_apcupsd_cgi_script SELinux Policy documentation"
+.SH "NAME"
+httpd_apcupsd_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_apcupsd_cgi_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_apcupsd_cgi_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_apcupsd_cgi_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_apcupsd_cgi_script processes execute with the httpd_apcupsd_cgi_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_apcupsd_cgi_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_apcupsd_cgi_script_t SELinux type can be entered via the "httpd_apcupsd_cgi_script_exec_t,shell_exec_t,httpd_apcupsd_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_apcupsd_cgi_script_t domain are the following:"
++
++/var/www/apcupsd/upsfstats\.cgi, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/cgi-bin/apcgui(/.*)?, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /var/www/apcupsd/upsfstats\.cgi, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/cgi-bin/apcgui(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_apcupsd_cgi_script policy is very flexible allowing users to setup their httpd_apcupsd_cgi_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_apcupsd_cgi_script:
++
++.EX
++.B httpd_apcupsd_cgi_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -29986,32 +32384,16 @@ index 0000000..45a6ae2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_apcupsd_cgi_script policy is very flexible allowing users to setup their httpd_apcupsd_cgi_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_apcupsd_cgi_script:
-+
-+.EX
-+.B httpd_apcupsd_cgi_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_apcupsd_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_apcupsd_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_apcupsd_cgi_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -30031,23 +32413,50 @@ index 0000000..45a6ae2
+
+.SH "SEE ALSO"
+selinux(8), httpd_apcupsd_cgi_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_awstats_script_selinux.8 b/man/man8/httpd_awstats_script_selinux.8
new file mode 100644
-index 0000000..0ae4666
+index 0000000..3b05ed5
--- /dev/null
+++ b/man/man8/httpd_awstats_script_selinux.8
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,93 @@
+.TH "httpd_awstats_script_selinux" "8" "httpd_awstats_script" "dwalsh at redhat.com" "httpd_awstats_script SELinux Policy documentation"
+.SH "NAME"
+httpd_awstats_script_selinux \- Security Enhanced Linux Policy for the httpd_awstats_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_awstats_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_awstats_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_awstats_script processes execute with the httpd_awstats_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_awstats_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_awstats_script_t SELinux type can be entered via the "httpd_awstats_script_exec_t,shell_exec_t,httpd_awstats_script_exec_t" file types. The default entrypoint paths for the httpd_awstats_script_t domain are the following:"
++
++/usr/share/awstats/wwwroot/cgi-bin(/.*)?, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/share/awstats/wwwroot/cgi-bin(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_awstats_script policy is very flexible allowing users to setup their httpd_awstats_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_awstats_script:
++
++.EX
++.B httpd_awstats_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -30075,32 +32484,16 @@ index 0000000..0ae4666
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_awstats_script policy is very flexible allowing users to setup their httpd_awstats_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_awstats_script:
-+
-+.EX
-+.B httpd_awstats_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_awstats_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_awstats_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_awstats_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -30120,23 +32513,50 @@ index 0000000..0ae4666
+
+.SH "SEE ALSO"
+selinux(8), httpd_awstats_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_bugzilla_script_selinux.8 b/man/man8/httpd_bugzilla_script_selinux.8
new file mode 100644
-index 0000000..8562f3c
+index 0000000..cc12994
--- /dev/null
+++ b/man/man8/httpd_bugzilla_script_selinux.8
-@@ -0,0 +1,88 @@
+@@ -0,0 +1,99 @@
+.TH "httpd_bugzilla_script_selinux" "8" "httpd_bugzilla_script" "dwalsh at redhat.com" "httpd_bugzilla_script SELinux Policy documentation"
+.SH "NAME"
+httpd_bugzilla_script_selinux \- Security Enhanced Linux Policy for the httpd_bugzilla_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_bugzilla_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_bugzilla_script processes via flexible mandatory access control.
++
++The httpd_bugzilla_script processes execute with the httpd_bugzilla_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_bugzilla_script_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The httpd_bugzilla_script_t SELinux type can be entered via the "httpd_bugzilla_script_exec_t,shell_exec_t,httpd_bugzilla_script_exec_t" file types. The default entrypoint paths for the httpd_bugzilla_script_t domain are the following:"
++
++/usr/share/bugzilla(/.*)?, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/share/bugzilla(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_bugzilla_script policy is very flexible allowing users to setup their httpd_bugzilla_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_bugzilla_script:
++
++.EX
++.B httpd_bugzilla_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -30164,27 +32584,9 @@ index 0000000..8562f3c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_bugzilla_script policy is very flexible allowing users to setup their httpd_bugzilla_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_bugzilla_script:
-+
-+.EX
-+.B httpd_bugzilla_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_bugzilla_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_bugzilla_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_bugzilla_rw_content_t
@@ -30196,6 +32598,8 @@ index 0000000..8562f3c
+.B httpd_bugzilla_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -30215,23 +32619,50 @@ index 0000000..8562f3c
+
+.SH "SEE ALSO"
+selinux(8), httpd_bugzilla_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_cobbler_script_selinux.8 b/man/man8/httpd_cobbler_script_selinux.8
new file mode 100644
-index 0000000..711c98c
+index 0000000..f88d993
--- /dev/null
+++ b/man/man8/httpd_cobbler_script_selinux.8
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,93 @@
+.TH "httpd_cobbler_script_selinux" "8" "httpd_cobbler_script" "dwalsh at redhat.com" "httpd_cobbler_script SELinux Policy documentation"
+.SH "NAME"
+httpd_cobbler_script_selinux \- Security Enhanced Linux Policy for the httpd_cobbler_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_cobbler_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_cobbler_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_cobbler_script processes execute with the httpd_cobbler_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_cobbler_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_cobbler_script_t SELinux type can be entered via the "shell_exec_t,httpd_cobbler_script_exec_t,httpd_cobbler_script_exec_t" file types. The default entrypoint paths for the httpd_cobbler_script_t domain are the following:"
++
++/usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_cobbler_script policy is very flexible allowing users to setup their httpd_cobbler_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_cobbler_script:
++
++.EX
++.B httpd_cobbler_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -30259,32 +32690,16 @@ index 0000000..711c98c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_cobbler_script policy is very flexible allowing users to setup their httpd_cobbler_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_cobbler_script:
-+
-+.EX
-+.B httpd_cobbler_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_cobbler_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_cobbler_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_cobbler_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -30304,23 +32719,50 @@ index 0000000..711c98c
+
+.SH "SEE ALSO"
+selinux(8), httpd_cobbler_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_collectd_script_selinux.8 b/man/man8/httpd_collectd_script_selinux.8
new file mode 100644
-index 0000000..c17f89a
+index 0000000..ca8215f
--- /dev/null
+++ b/man/man8/httpd_collectd_script_selinux.8
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,93 @@
+.TH "httpd_collectd_script_selinux" "8" "httpd_collectd_script" "dwalsh at redhat.com" "httpd_collectd_script SELinux Policy documentation"
+.SH "NAME"
+httpd_collectd_script_selinux \- Security Enhanced Linux Policy for the httpd_collectd_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_collectd_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_collectd_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_collectd_script processes execute with the httpd_collectd_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_collectd_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_collectd_script_t SELinux type can be entered via the "httpd_collectd_script_exec_t,shell_exec_t,httpd_collectd_script_exec_t" file types. The default entrypoint paths for the httpd_collectd_script_t domain are the following:"
++
++/usr/share/collectd/collection3/bin/.*\.cgi, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/share/collectd/collection3/bin/.*\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_collectd_script policy is very flexible allowing users to setup their httpd_collectd_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_collectd_script:
++
++.EX
++.B httpd_collectd_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -30348,32 +32790,16 @@ index 0000000..c17f89a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_collectd_script policy is very flexible allowing users to setup their httpd_collectd_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_collectd_script:
-+
-+.EX
-+.B httpd_collectd_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_collectd_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_collectd_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_collectd_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -30393,23 +32819,50 @@ index 0000000..c17f89a
+
+.SH "SEE ALSO"
+selinux(8), httpd_collectd_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_cvs_script_selinux.8 b/man/man8/httpd_cvs_script_selinux.8
new file mode 100644
-index 0000000..02bb966
+index 0000000..4495535
--- /dev/null
+++ b/man/man8/httpd_cvs_script_selinux.8
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,101 @@
+.TH "httpd_cvs_script_selinux" "8" "httpd_cvs_script" "dwalsh at redhat.com" "httpd_cvs_script SELinux Policy documentation"
+.SH "NAME"
+httpd_cvs_script_selinux \- Security Enhanced Linux Policy for the httpd_cvs_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_cvs_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_cvs_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_cvs_script processes execute with the httpd_cvs_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_cvs_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_cvs_script_t SELinux type can be entered via the "shell_exec_t,httpd_cvs_script_exec_t,httpd_cvs_script_exec_t" file types. The default entrypoint paths for the httpd_cvs_script_t domain are the following:"
++
++/usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/share/cvsweb/cvsweb\.cgi, /var/www/cgi-bin/cvsweb\.cgi, /usr/share/cvsweb/cvsweb\.cgi, /var/www/cgi-bin/cvsweb\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_cvs_script policy is very flexible allowing users to setup their httpd_cvs_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_cvs_script:
++
++.EX
++.B httpd_cvs_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -30441,27 +32894,9 @@ index 0000000..02bb966
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_cvs_script policy is very flexible allowing users to setup their httpd_cvs_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_cvs_script:
-+
-+.EX
-+.B httpd_cvs_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_cvs_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_cvs_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cvs_tmp_t
@@ -30471,6 +32906,8 @@ index 0000000..02bb966
+.B httpd_cvs_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -30490,23 +32927,50 @@ index 0000000..02bb966
+
+.SH "SEE ALSO"
+selinux(8), httpd_cvs_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_dirsrvadmin_script_selinux.8 b/man/man8/httpd_dirsrvadmin_script_selinux.8
new file mode 100644
-index 0000000..04f4409
+index 0000000..dfdc0b6
--- /dev/null
+++ b/man/man8/httpd_dirsrvadmin_script_selinux.8
-@@ -0,0 +1,128 @@
+@@ -0,0 +1,139 @@
+.TH "httpd_dirsrvadmin_script_selinux" "8" "httpd_dirsrvadmin_script" "dwalsh at redhat.com" "httpd_dirsrvadmin_script SELinux Policy documentation"
+.SH "NAME"
+httpd_dirsrvadmin_script_selinux \- Security Enhanced Linux Policy for the httpd_dirsrvadmin_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_dirsrvadmin_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_dirsrvadmin_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_dirsrvadmin_script processes execute with the httpd_dirsrvadmin_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_dirsrvadmin_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_dirsrvadmin_script_t SELinux type can be entered via the "httpd_dirsrvadmin_script_exec_t,shell_exec_t,httpd_dirsrvadmin_script_exec_t" file types. The default entrypoint paths for the httpd_dirsrvadmin_script_t domain are the following:"
++
++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)?, /usr/lib/dirsrv/cgi-bin(/.*)?, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)?, /usr/lib/dirsrv/cgi-bin(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_dirsrvadmin_script policy is very flexible allowing users to setup their httpd_dirsrvadmin_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_dirsrvadmin_script:
++
++.EX
++.B httpd_dirsrvadmin_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -30538,27 +33002,9 @@ index 0000000..04f4409
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_dirsrvadmin_script policy is very flexible allowing users to setup their httpd_dirsrvadmin_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_dirsrvadmin_script:
-+
-+.EX
-+.B httpd_dirsrvadmin_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_dirsrvadmin_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_dirsrvadmin_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dirsrv_config_t
@@ -30606,6 +33052,8 @@ index 0000000..04f4409
+.B httpd_dirsrvadmin_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -30625,23 +33073,50 @@ index 0000000..04f4409
+
+.SH "SEE ALSO"
+selinux(8), httpd_dirsrvadmin_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_dspam_script_selinux.8 b/man/man8/httpd_dspam_script_selinux.8
new file mode 100644
-index 0000000..f888455
+index 0000000..4f67e77
--- /dev/null
+++ b/man/man8/httpd_dspam_script_selinux.8
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,93 @@
+.TH "httpd_dspam_script_selinux" "8" "httpd_dspam_script" "dwalsh at redhat.com" "httpd_dspam_script SELinux Policy documentation"
+.SH "NAME"
+httpd_dspam_script_selinux \- Security Enhanced Linux Policy for the httpd_dspam_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_dspam_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_dspam_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_dspam_script processes execute with the httpd_dspam_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_dspam_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_dspam_script_t SELinux type can be entered via the "shell_exec_t,httpd_dspam_script_exec_t,httpd_dspam_script_exec_t" file types. The default entrypoint paths for the httpd_dspam_script_t domain are the following:"
++
++/usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/share/dspam-web/dspam\.cgi, /usr/share/dspam-web/dspam\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_dspam_script policy is very flexible allowing users to setup their httpd_dspam_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_dspam_script:
++
++.EX
++.B httpd_dspam_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -30669,32 +33144,16 @@ index 0000000..f888455
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_dspam_script policy is very flexible allowing users to setup their httpd_dspam_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_dspam_script:
-+
-+.EX
-+.B httpd_dspam_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_dspam_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_dspam_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_dspam_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -30714,37 +33173,50 @@ index 0000000..f888455
+
+.SH "SEE ALSO"
+selinux(8), httpd_dspam_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_git_script_selinux.8 b/man/man8/httpd_git_script_selinux.8
new file mode 100644
-index 0000000..ba6885e
+index 0000000..cb442ce
--- /dev/null
+++ b/man/man8/httpd_git_script_selinux.8
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,115 @@
+.TH "httpd_git_script_selinux" "8" "httpd_git_script" "dwalsh at redhat.com" "httpd_git_script SELinux Policy documentation"
+.SH "NAME"
+httpd_git_script_selinux \- Security Enhanced Linux Policy for the httpd_git_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_git_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_git_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_git_script processes execute with the httpd_git_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_git_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep httpd_git_script_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The httpd_git_script_t SELinux type can be entered via the "httpd_git_script_exec_t,shell_exec_t,httpd_git_script_exec_t" file types. The default entrypoint paths for the httpd_git_script_t domain are the following:"
++
++/var/www/git/gitweb\.cgi, /var/www/cgi-bin/cgit, /var/www/gitweb-caching/gitweb\.cgi, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /var/www/git/gitweb\.cgi, /var/www/cgi-bin/cgit, /var/www/gitweb-caching/gitweb\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_git_script_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_git_script policy is very flexible allowing users to setup their httpd_git_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_git_script:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B httpd_git_script_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -30776,27 +33248,9 @@ index 0000000..ba6885e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_git_script policy is very flexible allowing users to setup their httpd_git_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_git_script:
-+
-+.EX
-+.B httpd_git_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_git_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_git_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_git_rw_content_t
@@ -30806,6 +33260,22 @@ index 0000000..ba6885e
+ /var/cache/gitweb-caching(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_git_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_git_script_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -30825,23 +33295,50 @@ index 0000000..ba6885e
+
+.SH "SEE ALSO"
+selinux(8), httpd_git_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_helper_selinux.8 b/man/man8/httpd_helper_selinux.8
new file mode 100644
-index 0000000..11da9c3
+index 0000000..00848ff
--- /dev/null
+++ b/man/man8/httpd_helper_selinux.8
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,89 @@
+.TH "httpd_helper_selinux" "8" "httpd_helper" "dwalsh at redhat.com" "httpd_helper SELinux Policy documentation"
+.SH "NAME"
+httpd_helper_selinux \- Security Enhanced Linux Policy for the httpd_helper processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_helper processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_helper processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_helper processes execute with the httpd_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_helper_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_helper_t SELinux type can be entered via the "httpd_helper_exec_t" file type. The default entrypoint paths for the httpd_helper_t domain are the following:"
++
++/usr/bin/htsslpass
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_helper policy is very flexible allowing users to setup their httpd_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_helper:
++
++.EX
++.B httpd_helper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -30869,27 +33366,11 @@ index 0000000..11da9c3
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_helper policy is very flexible allowing users to setup their httpd_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_helper:
-+
-+.EX
-+.B httpd_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -30910,23 +33391,50 @@ index 0000000..11da9c3
+
+.SH "SEE ALSO"
+selinux(8), httpd_helper(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_man2html_script_selinux.8 b/man/man8/httpd_man2html_script_selinux.8
new file mode 100644
-index 0000000..28ffb0d
+index 0000000..e828173
--- /dev/null
+++ b/man/man8/httpd_man2html_script_selinux.8
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,111 @@
+.TH "httpd_man2html_script_selinux" "8" "httpd_man2html_script" "dwalsh at redhat.com" "httpd_man2html_script SELinux Policy documentation"
+.SH "NAME"
+httpd_man2html_script_selinux \- Security Enhanced Linux Policy for the httpd_man2html_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_man2html_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_man2html_script processes via flexible mandatory access control.
++
++The httpd_man2html_script processes execute with the httpd_man2html_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_man2html_script_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The httpd_man2html_script_t SELinux type can be entered via the "httpd_man2html_script_exec_t,shell_exec_t,httpd_man2html_script_exec_t" file types. The default entrypoint paths for the httpd_man2html_script_t domain are the following:"
++
++/usr/lib/man2html/cgi-bin/man/manwhatis, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/mansec, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/lib/man2html/cgi-bin/man/manwhatis, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/mansec
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_man2html_script policy is very flexible allowing users to setup their httpd_man2html_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_man2html_script:
++
++.EX
++.B httpd_man2html_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -30966,27 +33474,9 @@ index 0000000..28ffb0d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_man2html_script policy is very flexible allowing users to setup their httpd_man2html_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_man2html_script:
-+
-+.EX
-+.B httpd_man2html_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_man2html_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_man2html_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_man2html_rw_content_t
@@ -30998,6 +33488,8 @@ index 0000000..28ffb0d
+ /var/cache/man2html(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -31017,23 +33509,50 @@ index 0000000..28ffb0d
+
+.SH "SEE ALSO"
+selinux(8), httpd_man2html_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_mediawiki_script_selinux.8 b/man/man8/httpd_mediawiki_script_selinux.8
new file mode 100644
-index 0000000..8196eca
+index 0000000..5c9ccca
--- /dev/null
+++ b/man/man8/httpd_mediawiki_script_selinux.8
-@@ -0,0 +1,88 @@
+@@ -0,0 +1,99 @@
+.TH "httpd_mediawiki_script_selinux" "8" "httpd_mediawiki_script" "dwalsh at redhat.com" "httpd_mediawiki_script SELinux Policy documentation"
+.SH "NAME"
+httpd_mediawiki_script_selinux \- Security Enhanced Linux Policy for the httpd_mediawiki_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_mediawiki_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_mediawiki_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_mediawiki_script processes execute with the httpd_mediawiki_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_mediawiki_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_mediawiki_script_t SELinux type can be entered via the "httpd_mediawiki_script_exec_t,shell_exec_t,httpd_mediawiki_script_exec_t" file types. The default entrypoint paths for the httpd_mediawiki_script_t domain are the following:"
++
++/usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_mediawiki_script policy is very flexible allowing users to setup their httpd_mediawiki_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_mediawiki_script:
++
++.EX
++.B httpd_mediawiki_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -31065,27 +33584,9 @@ index 0000000..8196eca
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_mediawiki_script policy is very flexible allowing users to setup their httpd_mediawiki_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_mediawiki_script:
-+
-+.EX
-+.B httpd_mediawiki_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_mediawiki_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_mediawiki_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_mediawiki_rw_content_t
@@ -31093,6 +33594,8 @@ index 0000000..8196eca
+ /var/www/wiki(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -31112,23 +33615,50 @@ index 0000000..8196eca
+
+.SH "SEE ALSO"
+selinux(8), httpd_mediawiki_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_mojomojo_script_selinux.8 b/man/man8/httpd_mojomojo_script_selinux.8
new file mode 100644
-index 0000000..bdeab45
+index 0000000..fc9bc9f
--- /dev/null
+++ b/man/man8/httpd_mojomojo_script_selinux.8
-@@ -0,0 +1,88 @@
+@@ -0,0 +1,99 @@
+.TH "httpd_mojomojo_script_selinux" "8" "httpd_mojomojo_script" "dwalsh at redhat.com" "httpd_mojomojo_script SELinux Policy documentation"
+.SH "NAME"
+httpd_mojomojo_script_selinux \- Security Enhanced Linux Policy for the httpd_mojomojo_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_mojomojo_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_mojomojo_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_mojomojo_script processes execute with the httpd_mojomojo_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_mojomojo_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_mojomojo_script_t SELinux type can be entered via the "httpd_mojomojo_script_exec_t,shell_exec_t,httpd_mojomojo_script_exec_t" file types. The default entrypoint paths for the httpd_mojomojo_script_t domain are the following:"
++
++/usr/bin/mojomojo_fastcgi\.pl, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/bin/mojomojo_fastcgi\.pl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_mojomojo_script policy is very flexible allowing users to setup their httpd_mojomojo_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_mojomojo_script:
++
++.EX
++.B httpd_mojomojo_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -31156,27 +33686,9 @@ index 0000000..bdeab45
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_mojomojo_script policy is very flexible allowing users to setup their httpd_mojomojo_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_mojomojo_script:
-+
-+.EX
-+.B httpd_mojomojo_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_mojomojo_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_mojomojo_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_mojomojo_rw_content_t
@@ -31188,6 +33700,8 @@ index 0000000..bdeab45
+.B httpd_mojomojo_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -31207,23 +33721,50 @@ index 0000000..bdeab45
+
+.SH "SEE ALSO"
+selinux(8), httpd_mojomojo_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_munin_script_selinux.8 b/man/man8/httpd_munin_script_selinux.8
new file mode 100644
-index 0000000..9e0ce07
+index 0000000..eb8ed1b
--- /dev/null
+++ b/man/man8/httpd_munin_script_selinux.8
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,93 @@
+.TH "httpd_munin_script_selinux" "8" "httpd_munin_script" "dwalsh at redhat.com" "httpd_munin_script SELinux Policy documentation"
+.SH "NAME"
+httpd_munin_script_selinux \- Security Enhanced Linux Policy for the httpd_munin_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_munin_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_munin_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_munin_script processes execute with the httpd_munin_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_munin_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_munin_script_t SELinux type can be entered via the "httpd_munin_script_exec_t,shell_exec_t,httpd_munin_script_exec_t" file types. The default entrypoint paths for the httpd_munin_script_t domain are the following:"
++
++/var/www/html/munin/cgi(/.*)?, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /var/www/html/munin/cgi(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_munin_script policy is very flexible allowing users to setup their httpd_munin_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_munin_script:
++
++.EX
++.B httpd_munin_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -31251,32 +33792,16 @@ index 0000000..9e0ce07
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_munin_script policy is very flexible allowing users to setup their httpd_munin_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_munin_script:
-+
-+.EX
-+.B httpd_munin_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_munin_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_munin_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_munin_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -31296,23 +33821,50 @@ index 0000000..9e0ce07
+
+.SH "SEE ALSO"
+selinux(8), httpd_munin_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_nagios_script_selinux.8 b/man/man8/httpd_nagios_script_selinux.8
new file mode 100644
-index 0000000..d628d37
+index 0000000..ff03c0d
--- /dev/null
+++ b/man/man8/httpd_nagios_script_selinux.8
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,97 @@
+.TH "httpd_nagios_script_selinux" "8" "httpd_nagios_script" "dwalsh at redhat.com" "httpd_nagios_script SELinux Policy documentation"
+.SH "NAME"
+httpd_nagios_script_selinux \- Security Enhanced Linux Policy for the httpd_nagios_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_nagios_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_nagios_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_nagios_script processes execute with the httpd_nagios_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_nagios_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_nagios_script_t SELinux type can be entered via the "httpd_nagios_script_exec_t,shell_exec_t,httpd_nagios_script_exec_t" file types. The default entrypoint paths for the httpd_nagios_script_t domain are the following:"
++
++/usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)?, /usr/lib/nagios/cgi(/.*)?, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)?, /usr/lib/nagios/cgi(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_nagios_script policy is very flexible allowing users to setup their httpd_nagios_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_nagios_script:
++
++.EX
++.B httpd_nagios_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -31344,32 +33896,16 @@ index 0000000..d628d37
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_nagios_script policy is very flexible allowing users to setup their httpd_nagios_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_nagios_script:
-+
-+.EX
-+.B httpd_nagios_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_nagios_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_nagios_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_nagios_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -31389,23 +33925,50 @@ index 0000000..d628d37
+
+.SH "SEE ALSO"
+selinux(8), httpd_nagios_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_nutups_cgi_script_selinux.8 b/man/man8/httpd_nutups_cgi_script_selinux.8
new file mode 100644
-index 0000000..db3d43e
+index 0000000..cd287f3
--- /dev/null
+++ b/man/man8/httpd_nutups_cgi_script_selinux.8
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,97 @@
+.TH "httpd_nutups_cgi_script_selinux" "8" "httpd_nutups_cgi_script" "dwalsh at redhat.com" "httpd_nutups_cgi_script SELinux Policy documentation"
+.SH "NAME"
+httpd_nutups_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_nutups_cgi_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_nutups_cgi_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_nutups_cgi_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_nutups_cgi_script processes execute with the httpd_nutups_cgi_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_nutups_cgi_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_nutups_cgi_script_t SELinux type can be entered via the "httpd_nutups_cgi_script_exec_t,shell_exec_t,httpd_nutups_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_nutups_cgi_script_t domain are the following:"
++
++/var/www/nut-cgi-bin/upsstats\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsset\.cgi, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /var/www/nut-cgi-bin/upsstats\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsset\.cgi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_nutups_cgi_script policy is very flexible allowing users to setup their httpd_nutups_cgi_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_nutups_cgi_script:
++
++.EX
++.B httpd_nutups_cgi_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -31437,32 +34000,16 @@ index 0000000..db3d43e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_nutups_cgi_script policy is very flexible allowing users to setup their httpd_nutups_cgi_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_nutups_cgi_script:
-+
-+.EX
-+.B httpd_nutups_cgi_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_nutups_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_nutups_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_nutups_cgi_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -31482,23 +34029,50 @@ index 0000000..db3d43e
+
+.SH "SEE ALSO"
+selinux(8), httpd_nutups_cgi_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_openshift_script_selinux.8 b/man/man8/httpd_openshift_script_selinux.8
new file mode 100644
-index 0000000..6330401
+index 0000000..9d53699
--- /dev/null
+++ b/man/man8/httpd_openshift_script_selinux.8
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,93 @@
+.TH "httpd_openshift_script_selinux" "8" "httpd_openshift_script" "dwalsh at redhat.com" "httpd_openshift_script SELinux Policy documentation"
+.SH "NAME"
+httpd_openshift_script_selinux \- Security Enhanced Linux Policy for the httpd_openshift_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_openshift_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_openshift_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_openshift_script processes execute with the httpd_openshift_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_openshift_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_openshift_script_t SELinux type can be entered via the "httpd_openshift_script_exec_t,shell_exec_t,httpd_openshift_script_exec_t" file types. The default entrypoint paths for the httpd_openshift_script_t domain are the following:"
++
++/usr/bin/rhc-restorer-wrapper.sh, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/bin/rhc-restorer-wrapper.sh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_openshift_script policy is very flexible allowing users to setup their httpd_openshift_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_openshift_script:
++
++.EX
++.B httpd_openshift_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -31526,32 +34100,16 @@ index 0000000..6330401
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_openshift_script policy is very flexible allowing users to setup their httpd_openshift_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_openshift_script:
-+
-+.EX
-+.B httpd_openshift_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_openshift_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_openshift_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_openshift_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -31571,37 +34129,50 @@ index 0000000..6330401
+
+.SH "SEE ALSO"
+selinux(8), httpd_openshift_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_passwd_selinux.8 b/man/man8/httpd_passwd_selinux.8
new file mode 100644
-index 0000000..e666549
+index 0000000..4d52e21
--- /dev/null
+++ b/man/man8/httpd_passwd_selinux.8
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,111 @@
+.TH "httpd_passwd_selinux" "8" "httpd_passwd" "dwalsh at redhat.com" "httpd_passwd SELinux Policy documentation"
+.SH "NAME"
+httpd_passwd_selinux \- Security Enhanced Linux Policy for the httpd_passwd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_passwd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_passwd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_passwd processes execute with the httpd_passwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep httpd_passwd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The httpd_passwd_t SELinux type can be entered via the "httpd_passwd_exec_t" file type. The default entrypoint paths for the httpd_passwd_t domain are the following:"
++
++/usr/libexec/httpd-ssl-pass-dialog
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_passwd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_passwd policy is very flexible allowing users to setup their httpd_passwd processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_passwd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B httpd_passwd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -31629,27 +34200,9 @@ index 0000000..e666549
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_passwd policy is very flexible allowing users to setup their httpd_passwd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_passwd:
-+
-+.EX
-+.B httpd_passwd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_passwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_passwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B systemd_passwd_var_run_t
@@ -31659,6 +34212,22 @@ index 0000000..e666549
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_passwd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -31678,37 +34247,50 @@ index 0000000..e666549
+
+.SH "SEE ALSO"
+selinux(8), httpd_passwd(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_php_selinux.8 b/man/man8/httpd_php_selinux.8
new file mode 100644
-index 0000000..8af1f84
+index 0000000..2ec3952
--- /dev/null
+++ b/man/man8/httpd_php_selinux.8
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,115 @@
+.TH "httpd_php_selinux" "8" "httpd_php" "dwalsh at redhat.com" "httpd_php SELinux Policy documentation"
+.SH "NAME"
+httpd_php_selinux \- Security Enhanced Linux Policy for the httpd_php processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_php processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_php processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_php processes execute with the httpd_php_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_php_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep httpd_php_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_php_t SELinux type can be entered via the "httpd_php_exec_t" file type. The default entrypoint paths for the httpd_php_t domain are the following:"
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_php_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_php policy is very flexible allowing users to setup their httpd_php processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_php:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B httpd_php_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -31744,32 +34326,30 @@ index 0000000..8af1f84
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_php policy is very flexible allowing users to setup their httpd_php processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_php:
-+
-+.EX
-+.B httpd_php_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_php_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_php_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_php_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_php_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_php_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -31789,37 +34369,50 @@ index 0000000..8af1f84
+
+.SH "SEE ALSO"
+selinux(8), httpd_php(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_prewikka_script_selinux.8 b/man/man8/httpd_prewikka_script_selinux.8
new file mode 100644
-index 0000000..513a6e8
+index 0000000..635c75e
--- /dev/null
+++ b/man/man8/httpd_prewikka_script_selinux.8
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,107 @@
+.TH "httpd_prewikka_script_selinux" "8" "httpd_prewikka_script" "dwalsh at redhat.com" "httpd_prewikka_script SELinux Policy documentation"
+.SH "NAME"
+httpd_prewikka_script_selinux \- Security Enhanced Linux Policy for the httpd_prewikka_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_prewikka_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_prewikka_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_prewikka_script processes execute with the httpd_prewikka_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_prewikka_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep httpd_prewikka_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_prewikka_script_t SELinux type can be entered via the "httpd_prewikka_script_exec_t,shell_exec_t,httpd_prewikka_script_exec_t" file types. The default entrypoint paths for the httpd_prewikka_script_t domain are the following:"
+
++/usr/share/prewikka/cgi-bin(/.*)?, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/share/prewikka/cgi-bin(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_prewikka_script policy is very flexible allowing users to setup their httpd_prewikka_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_prewikka_script:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B httpd_prewikka_script_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -31847,32 +34440,30 @@ index 0000000..513a6e8
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_prewikka_script policy is very flexible allowing users to setup their httpd_prewikka_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_prewikka_script:
-+
-+.EX
-+.B httpd_prewikka_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_prewikka_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_prewikka_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_prewikka_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_prewikka_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -31892,23 +34483,50 @@ index 0000000..513a6e8
+
+.SH "SEE ALSO"
+selinux(8), httpd_prewikka_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_rotatelogs_selinux.8 b/man/man8/httpd_rotatelogs_selinux.8
new file mode 100644
-index 0000000..fa3fa7c
+index 0000000..6578500
--- /dev/null
+++ b/man/man8/httpd_rotatelogs_selinux.8
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,117 @@
+.TH "httpd_rotatelogs_selinux" "8" "httpd_rotatelogs" "dwalsh at redhat.com" "httpd_rotatelogs SELinux Policy documentation"
+.SH "NAME"
+httpd_rotatelogs_selinux \- Security Enhanced Linux Policy for the httpd_rotatelogs processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_rotatelogs processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_rotatelogs processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_rotatelogs processes execute with the httpd_rotatelogs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_rotatelogs_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_rotatelogs_t SELinux type can be entered via the "httpd_rotatelogs_exec_t" file type. The default entrypoint paths for the httpd_rotatelogs_t domain are the following:"
++
++/usr/sbin/rotatelogs
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_rotatelogs policy is very flexible allowing users to setup their httpd_rotatelogs processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_rotatelogs:
++
++.EX
++.B httpd_rotatelogs_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -31936,27 +34554,9 @@ index 0000000..fa3fa7c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_rotatelogs policy is very flexible allowing users to setup their httpd_rotatelogs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_rotatelogs:
-+
-+.EX
-+.B httpd_rotatelogs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_rotatelogs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_rotatelogs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_log_t
@@ -31986,6 +34586,8 @@ index 0000000..fa3fa7c
+ /etc/httpd/logs
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -32005,13 +34607,13 @@ index 0000000..fa3fa7c
+
+.SH "SEE ALSO"
+selinux(8), httpd_rotatelogs(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
-index 16e8b13..aded5fa 100644
+index 16e8b13..0c91ef3 100644
--- a/man/man8/httpd_selinux.8
+++ b/man/man8/httpd_selinux.8
-@@ -1,120 +1,1969 @@
+@@ -1,120 +1,1980 @@
-.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "httpd Selinux Policy documentation"
-.de EX
-.nf
@@ -32028,14 +34630,43 @@ index 16e8b13..aded5fa 100644
.SH "DESCRIPTION"
-Security-Enhanced Linux secures the httpd server via flexible mandatory access
-+Security-Enhanced Linux secures the httpd processes via flexible mandatory access
- control.
+-control.
-.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
-SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
--.PP
++Security-Enhanced Linux secures the httpd processes via flexible mandatory access control.
++
++The httpd processes execute with the httpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_t SELinux type can be entered via the "httpd_exec_t" file type. The default entrypoint paths for the httpd_t domain are the following:"
++
++/usr/sbin/apache(2)?, /usr/share/jetty/bin/jetty.sh, /usr/bin/mongrel_rails, /usr/lib/apache-ssl/.+, /usr/sbin/httpd\.event, /usr/sbin/httpd(\.worker)?, /usr/sbin/cherokee, /usr/sbin/apache-ssl(2)?, /usr/sbin/lighttpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible.
+ .PP
-The following file contexts types are defined for httpd:
++The following process types are defined for httpd:
++
++.EX
++.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_openshift_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_t, httpd_man2html_script_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
@@ -32147,6 +34778,13 @@ index 16e8b13..aded5fa 100644
+.EE
+
+.PP
++If you want to allow httpd to connect to the ldap port, you must turn on the httpd_can_connect_ldap boolean.
++
++.EX
++.B setsebool -P httpd_can_connect_ldap 1
++.EE
++
++.PP
+If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean.
+
+.EX
@@ -32210,16 +34848,6 @@ index 16e8b13..aded5fa 100644
+.EE
+
+.PP
-+If you want to allow httpd to connect to the ldap port, you must turn on the httpd_can_connect_ldap boolean.
-+
- .EX
--httpd_sys_content_t
--.EE
--- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
-+.B setsebool -P httpd_can_connect_ldap 1
-+.EE
-+
-+.PP
+If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean.
+
+.EX
@@ -32243,71 +34871,58 @@ index 16e8b13..aded5fa 100644
+.PP
+If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.
+
-+.EX
+ .EX
+-httpd_sys_content_t
+-.EE
+-- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
+.B setsebool -P httpd_can_network_connect_cobbler 1
+.EE
+
+.PP
+If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean.
+
-+.EX
-+.B setsebool -P httpd_ssi_exec 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean.
-+
-+.EX
-+.B setsebool -P httpd_use_openstack 1
-+.EE
-+
-+.PP
-+If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
-+
.EX
-httpd_sys_script_exec_t
-.EE
-- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
-+.B setsebool -P httpd_enable_ftp_server 1
++.B setsebool -P httpd_ssi_exec 1
+.EE
+
+.PP
-+If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
++If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean.
+
.EX
-httpd_sys_content_rw_t
-+.B setsebool -P httpd_can_connect_zabbix 1
++.B setsebool -P httpd_use_openstack 1
.EE
-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
+
+.PP
-+If you want to allow httpd daemon to change its resource limits, you must turn on the httpd_setrlimit boolean.
++If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.
+
.EX
-httpd_sys_content_ra_t
-+.B setsebool -P httpd_setrlimit 1
++.B setsebool -P httpd_enable_ftp_server 1
.EE
-- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
+
-+.SH NSSWITCH DOMAIN
-+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
+
.EX
-httpd_unconfined_script_exec_t
-.EE
-- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P httpd_can_connect_zabbix 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the kerberos_enabled boolean.
++If you want to allow httpd daemon to change its resource limits, you must turn on the httpd_setrlimit boolean.
-.SH NOTE
-With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P httpd_setrlimit 1
+.EE
.SH SHARING FILES
@@ -32361,8 +34976,7 @@ index 16e8b13..aded5fa 100644
+
+
+.EX
- .PP
--httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
++.PP
+.B httpd_apcupsd_cgi_content_t
+.EE
+
@@ -32378,7 +34992,8 @@ index 16e8b13..aded5fa 100644
+
+
+.EX
-+.PP
+ .PP
+-httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
+.B httpd_apcupsd_cgi_ra_content_t
+.EE
+
@@ -33646,27 +36261,9 @@ index 16e8b13..aded5fa 100644
+Default Defined Ports:
+tcp 80,81,443,488,8008,8009,8443
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd:
-+
-+.EX
-+.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_openshift_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_t, httpd_man2html_script_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B abrt_retrace_spool_t
@@ -34016,6 +36613,22 @@ index 16e8b13..aded5fa 100644
+ /var/lib/zarafa-webaccess(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -34045,19 +36658,46 @@ index 16e8b13..aded5fa 100644
\ No newline at end of file
diff --git a/man/man8/httpd_smokeping_cgi_script_selinux.8 b/man/man8/httpd_smokeping_cgi_script_selinux.8
new file mode 100644
-index 0000000..c36a046
+index 0000000..08d734b
--- /dev/null
+++ b/man/man8/httpd_smokeping_cgi_script_selinux.8
-@@ -0,0 +1,88 @@
+@@ -0,0 +1,99 @@
+.TH "httpd_smokeping_cgi_script_selinux" "8" "httpd_smokeping_cgi_script" "dwalsh at redhat.com" "httpd_smokeping_cgi_script SELinux Policy documentation"
+.SH "NAME"
+httpd_smokeping_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_smokeping_cgi_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_smokeping_cgi_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_smokeping_cgi_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_smokeping_cgi_script processes execute with the httpd_smokeping_cgi_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_smokeping_cgi_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_smokeping_cgi_script_t SELinux type can be entered via the "httpd_smokeping_cgi_script_exec_t,shell_exec_t,httpd_smokeping_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_smokeping_cgi_script_t domain are the following:"
++
++/usr/share/smokeping/cgi(/.*)?, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/share/smokeping/cgi(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_smokeping_cgi_script policy is very flexible allowing users to setup their httpd_smokeping_cgi_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_smokeping_cgi_script:
++
++.EX
++.B httpd_smokeping_cgi_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -34085,27 +36725,9 @@ index 0000000..c36a046
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_smokeping_cgi_script policy is very flexible allowing users to setup their httpd_smokeping_cgi_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_smokeping_cgi_script:
-+
-+.EX
-+.B httpd_smokeping_cgi_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_smokeping_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_smokeping_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_smokeping_cgi_rw_content_t
@@ -34117,6 +36739,8 @@ index 0000000..c36a046
+ /var/lib/smokeping(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -34136,23 +36760,50 @@ index 0000000..c36a046
+
+.SH "SEE ALSO"
+selinux(8), httpd_smokeping_cgi_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_squid_script_selinux.8 b/man/man8/httpd_squid_script_selinux.8
new file mode 100644
-index 0000000..5312360
+index 0000000..4f98a94
--- /dev/null
+++ b/man/man8/httpd_squid_script_selinux.8
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,97 @@
+.TH "httpd_squid_script_selinux" "8" "httpd_squid_script" "dwalsh at redhat.com" "httpd_squid_script SELinux Policy documentation"
+.SH "NAME"
+httpd_squid_script_selinux \- Security Enhanced Linux Policy for the httpd_squid_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_squid_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_squid_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_squid_script processes execute with the httpd_squid_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_squid_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_squid_script_t SELinux type can be entered via the "httpd_squid_script_exec_t,shell_exec_t,httpd_squid_script_exec_t" file types. The default entrypoint paths for the httpd_squid_script_t domain are the following:"
++
++/usr/lib/squid/cachemgr\.cgi, /usr/share/lightsquid/cgi(/.*)?, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/lib/squid/cachemgr\.cgi, /usr/share/lightsquid/cgi(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_squid_script policy is very flexible allowing users to setup their httpd_squid_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_squid_script:
++
++.EX
++.B httpd_squid_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -34184,32 +36835,16 @@ index 0000000..5312360
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_squid_script policy is very flexible allowing users to setup their httpd_squid_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_squid_script:
-+
-+.EX
-+.B httpd_squid_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_squid_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_squid_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_squid_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -34229,37 +36864,50 @@ index 0000000..5312360
+
+.SH "SEE ALSO"
+selinux(8), httpd_squid_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_suexec_selinux.8 b/man/man8/httpd_suexec_selinux.8
new file mode 100644
-index 0000000..0fa636d
+index 0000000..c0ace36
--- /dev/null
+++ b/man/man8/httpd_suexec_selinux.8
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,119 @@
+.TH "httpd_suexec_selinux" "8" "httpd_suexec" "dwalsh at redhat.com" "httpd_suexec SELinux Policy documentation"
+.SH "NAME"
+httpd_suexec_selinux \- Security Enhanced Linux Policy for the httpd_suexec processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_suexec processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_suexec processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_suexec processes execute with the httpd_suexec_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_suexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep httpd_suexec_t
++
++
++.SH "ENTRYPOINTS"
+
++The httpd_suexec_t SELinux type can be entered via the "httpd_suexec_exec_t" file type. The default entrypoint paths for the httpd_suexec_t domain are the following:"
++
++/usr/lib/apache(2)?/suexec(2)?, /usr/sbin/suexec, /usr/lib/cgi-bin/(nph-)?cgiwrap(d)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_suexec_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_suexec policy is very flexible allowing users to setup their httpd_suexec processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_suexec:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B httpd_suexec_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -34299,32 +36947,30 @@ index 0000000..0fa636d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_suexec policy is very flexible allowing users to setup their httpd_suexec processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_suexec:
-+
-+.EX
-+.B httpd_suexec_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_suexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_suexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_suexec_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_suexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_suexec_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -34344,37 +36990,50 @@ index 0000000..0fa636d
+
+.SH "SEE ALSO"
+selinux(8), httpd_suexec(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_sys_script_selinux.8 b/man/man8/httpd_sys_script_selinux.8
new file mode 100644
-index 0000000..fec651b
+index 0000000..6191d01
--- /dev/null
+++ b/man/man8/httpd_sys_script_selinux.8
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,183 @@
+.TH "httpd_sys_script_selinux" "8" "httpd_sys_script" "dwalsh at redhat.com" "httpd_sys_script SELinux Policy documentation"
+.SH "NAME"
+httpd_sys_script_selinux \- Security Enhanced Linux Policy for the httpd_sys_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_sys_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_sys_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_sys_script processes execute with the httpd_sys_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep httpd_sys_script_t
+
++
++.SH "ENTRYPOINTS"
++
++The httpd_sys_script_t SELinux type can be entered via the "cifs_t,nfs_t,httpd_sys_script_exec_t,shell_exec_t,httpd_sys_content_t,httpd_sys_script_exec_t" file types. The default entrypoint paths for the httpd_sys_script_t domain are the following:"
++
++/var/www/svn/hooks(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress/.*\.php, /usr/lib/cgi-bin(/.*)?, /opt/.*\.cgi, /var/www/perl(/.*)?, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/wordpress-mu/wp-config\.php, /usr/.*\.cgi, /var/www/html/[^/]*/cgi-bin(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /usr/share/wordpress/wp-includes/.*\.php, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/share/icecast(/.*)?, /usr/share/htdig(/.*)?, /etc/htdig(/.*)?, /var/www/svn/conf(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/mythtv/
data(/.*)?, /var/lib/htdig(/.*)?, /srv/gallery2(/.*)?, /srv/([^/]*/)?www(/.*)?, /usr/share/ntop/html(/.*)?, /test/symlinked/file, /usr/share/mythweb(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)?, /usr/share/drupal.*, /var/lib/cacti/rra(/.*)?, /var/lib/trac(/.*)?, /var/www(/.*)?, /var/www/icons(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress/.*\.php, /usr/lib/cgi-bin(/.*)?, /opt/.*\.cgi, /var/www/perl(/.*)?, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/wordpress-mu/wp-config\.php, /usr/.*\.cgi, /var/www/html/[^/]*/cgi-bin(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /usr/share/wordpress/wp-includes/.*\.php
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the httpd_sys_script_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_sys_script policy is very flexible allowing users to setup their httpd_sys_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_sys_script:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B httpd_sys_script_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
@@ -34432,27 +37091,9 @@ index 0000000..fec651b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_sys_script policy is very flexible allowing users to setup their httpd_sys_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_sys_script:
-+
-+.EX
-+.B httpd_sys_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_sys_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_sys_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_sys_rw_content_t
@@ -34504,6 +37145,22 @@ index 0000000..fec651b
+ /var/run/user/apache(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the httpd_sys_script_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -34523,23 +37180,50 @@ index 0000000..fec651b
+
+.SH "SEE ALSO"
+selinux(8), httpd_sys_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_user_script_selinux.8 b/man/man8/httpd_user_script_selinux.8
new file mode 100644
-index 0000000..a2e9b4f
+index 0000000..e0305ba
--- /dev/null
+++ b/man/man8/httpd_user_script_selinux.8
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,93 @@
+.TH "httpd_user_script_selinux" "8" "httpd_user_script" "dwalsh at redhat.com" "httpd_user_script SELinux Policy documentation"
+.SH "NAME"
+httpd_user_script_selinux \- Security Enhanced Linux Policy for the httpd_user_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_user_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_user_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_user_script processes execute with the httpd_user_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_user_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_user_script_t SELinux type can be entered via the "httpd_user_script_exec_t,shell_exec_t,httpd_user_script_exec_t" file types. The default entrypoint paths for the httpd_user_script_t domain are the following:"
++
++/usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_user_script policy is very flexible allowing users to setup their httpd_user_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_user_script:
++
++.EX
++.B httpd_user_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -34567,32 +37251,16 @@ index 0000000..a2e9b4f
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_user_script policy is very flexible allowing users to setup their httpd_user_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_user_script:
-+
-+.EX
-+.B httpd_user_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_user_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_user_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_user_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -34612,23 +37280,50 @@ index 0000000..a2e9b4f
+
+.SH "SEE ALSO"
+selinux(8), httpd_user_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_w3c_validator_script_selinux.8 b/man/man8/httpd_w3c_validator_script_selinux.8
new file mode 100644
-index 0000000..8e84866
+index 0000000..af2e597
--- /dev/null
+++ b/man/man8/httpd_w3c_validator_script_selinux.8
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,101 @@
+.TH "httpd_w3c_validator_script_selinux" "8" "httpd_w3c_validator_script" "dwalsh at redhat.com" "httpd_w3c_validator_script SELinux Policy documentation"
+.SH "NAME"
+httpd_w3c_validator_script_selinux \- Security Enhanced Linux Policy for the httpd_w3c_validator_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_w3c_validator_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_w3c_validator_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_w3c_validator_script processes execute with the httpd_w3c_validator_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_w3c_validator_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_w3c_validator_script_t SELinux type can be entered via the "shell_exec_t,httpd_w3c_validator_script_exec_t,httpd_w3c_validator_script_exec_t" file types. The default entrypoint paths for the httpd_w3c_validator_script_t domain are the following:"
++
++/usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check, /usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_w3c_validator_script policy is very flexible allowing users to setup their httpd_w3c_validator_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_w3c_validator_script:
++
++.EX
++.B httpd_w3c_validator_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -34660,27 +37355,9 @@ index 0000000..8e84866
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_w3c_validator_script policy is very flexible allowing users to setup their httpd_w3c_validator_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_w3c_validator_script:
-+
-+.EX
-+.B httpd_w3c_validator_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_w3c_validator_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_w3c_validator_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_w3c_validator_rw_content_t
@@ -34690,6 +37367,8 @@ index 0000000..8e84866
+.B httpd_w3c_validator_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -34709,23 +37388,50 @@ index 0000000..8e84866
+
+.SH "SEE ALSO"
+selinux(8), httpd_w3c_validator_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_zoneminder_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_zoneminder_script_selinux.8 b/man/man8/httpd_zoneminder_script_selinux.8
new file mode 100644
-index 0000000..425b531
+index 0000000..2ca9e73
--- /dev/null
+++ b/man/man8/httpd_zoneminder_script_selinux.8
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,93 @@
+.TH "httpd_zoneminder_script_selinux" "8" "httpd_zoneminder_script" "dwalsh at redhat.com" "httpd_zoneminder_script SELinux Policy documentation"
+.SH "NAME"
+httpd_zoneminder_script_selinux \- Security Enhanced Linux Policy for the httpd_zoneminder_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the httpd_zoneminder_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the httpd_zoneminder_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The httpd_zoneminder_script processes execute with the httpd_zoneminder_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep httpd_zoneminder_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The httpd_zoneminder_script_t SELinux type can be entered via the "httpd_zoneminder_script_exec_t,shell_exec_t,httpd_zoneminder_script_exec_t" file types. The default entrypoint paths for the httpd_zoneminder_script_t domain are the following:"
++
++/usr/libexec/zoneminder/cgi-bin(/.*)?, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/libexec/zoneminder/cgi-bin(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux httpd_zoneminder_script policy is very flexible allowing users to setup their httpd_zoneminder_script processes in as secure a method as possible.
++.PP
++The following process types are defined for httpd_zoneminder_script:
++
++.EX
++.B httpd_zoneminder_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -34753,32 +37459,16 @@ index 0000000..425b531
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux httpd_zoneminder_script policy is very flexible allowing users to setup their httpd_zoneminder_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for httpd_zoneminder_script:
-+
-+.EX
-+.B httpd_zoneminder_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type httpd_zoneminder_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type httpd_zoneminder_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_zoneminder_rw_content_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -34798,37 +37488,50 @@ index 0000000..425b531
+
+.SH "SEE ALSO"
+selinux(8), httpd_zoneminder_script(8), semanage(8), restorecon(8), chcon(1)
-+, httpd_selinux(8)
++, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8)
\ No newline at end of file
diff --git a/man/man8/hwclock_selinux.8 b/man/man8/hwclock_selinux.8
new file mode 100644
-index 0000000..45435cd
+index 0000000..4e90ad5
--- /dev/null
+++ b/man/man8/hwclock_selinux.8
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,112 @@
+.TH "hwclock_selinux" "8" "hwclock" "dwalsh at redhat.com" "hwclock SELinux Policy documentation"
+.SH "NAME"
+hwclock_selinux \- Security Enhanced Linux Policy for the hwclock processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the hwclock processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the hwclock processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The hwclock processes execute with the hwclock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the hwclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep hwclock_t
++
++
++.SH "ENTRYPOINTS"
+
++The hwclock_t SELinux type can be entered via the "hwclock_exec_t" file type. The default entrypoint paths for the hwclock_t domain are the following:"
++
++/usr/sbin/hwclock, /sbin/hwclock
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the hwclock_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux hwclock policy is very flexible allowing users to setup their hwclock processes in as secure a method as possible.
++.PP
++The following process types are defined for hwclock:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B hwclock_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -34860,27 +37563,9 @@ index 0000000..45435cd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux hwclock policy is very flexible allowing users to setup their hwclock processes in as secure a method as possible.
-+.PP
-+The following process types are defined for hwclock:
-+
-+.EX
-+.B hwclock_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type hwclock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type hwclock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B adjtime_t
@@ -34888,6 +37573,22 @@ index 0000000..45435cd
+ /etc/adjtime
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the hwclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the hwclock_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -34909,19 +37610,46 @@ index 0000000..45435cd
+selinux(8), hwclock(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/iceauth_selinux.8 b/man/man8/iceauth_selinux.8
new file mode 100644
-index 0000000..3fa5cf8
+index 0000000..7d8e7b5
--- /dev/null
+++ b/man/man8/iceauth_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,124 @@
+.TH "iceauth_selinux" "8" "iceauth" "dwalsh at redhat.com" "iceauth SELinux Policy documentation"
+.SH "NAME"
+iceauth_selinux \- Security Enhanced Linux Policy for the iceauth processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the iceauth processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the iceauth processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The iceauth processes execute with the iceauth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep iceauth_t
++
++
++.SH "ENTRYPOINTS"
++
++The iceauth_t SELinux type can be entered via the "iceauth_exec_t" file type. The default entrypoint paths for the iceauth_t domain are the following:"
++
++/usr/bin/iceauth, /usr/X11R6/bin/iceauth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iceauth policy is very flexible allowing users to setup their iceauth processes in as secure a method as possible.
++.PP
++The following process types are defined for iceauth:
++
++.EX
++.B iceauth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -34965,27 +37693,9 @@ index 0000000..3fa5cf8
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux iceauth policy is very flexible allowing users to setup their iceauth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for iceauth:
-+
-+.EX
-+.B iceauth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type iceauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type iceauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B iceauth_home_t
@@ -34998,6 +37708,16 @@ index 0000000..3fa5cf8
+.br
+ /home/[^/]*/\.ICEauthority.*
+.br
++ /home/dwalsh/\.DCOP.*
++.br
++ /home/dwalsh/\.ICEauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.DCOP.*
++.br
++ /var/lib/xguest/home/xguest/\.ICEauthority.*
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -35020,43 +37740,56 @@ index 0000000..3fa5cf8
+selinux(8), iceauth(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/icecast_selinux.8 b/man/man8/icecast_selinux.8
new file mode 100644
-index 0000000..4b3b988
+index 0000000..99b1a8a
--- /dev/null
+++ b/man/man8/icecast_selinux.8
-@@ -0,0 +1,142 @@
+@@ -0,0 +1,153 @@
+.TH "icecast_selinux" "8" "icecast" "dwalsh at redhat.com" "icecast SELinux Policy documentation"
+.SH "NAME"
+icecast_selinux \- Security Enhanced Linux Policy for the icecast processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the icecast processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the icecast processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. icecast policy is extremely flexible and has several booleans that allow you to manipulate the policy and run icecast with the tightest access possible.
++The icecast processes execute with the icecast_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow icecast to connect to all ports, not just sound ports, you must turn on the icecast_connect_any boolean.
++.B ps -eZ | grep icecast_t
+
-+.EX
-+.B setsebool -P icecast_connect_any 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The icecast_t SELinux type can be entered via the "icecast_exec_t" file type. The default entrypoint paths for the icecast_t domain are the following:"
++
++/usr/bin/icecast
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the icecast_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux icecast policy is very flexible allowing users to setup their icecast processes in as secure a method as possible.
++.PP
++The following process types are defined for icecast:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B icecast_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. icecast policy is extremely flexible and has several booleans that allow you to manipulate the policy and run icecast with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the icecast_t, you must turn on the kerberos_enabled boolean.
++If you want to allow icecast to connect to all ports, not just sound ports, you must turn on the icecast_connect_any boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P icecast_connect_any 1
+.EE
+
+.SH FILE CONTEXTS
@@ -35109,27 +37842,9 @@ index 0000000..4b3b988
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux icecast policy is very flexible allowing users to setup their icecast processes in as secure a method as possible.
-+.PP
-+The following process types are defined for icecast:
-+
-+.EX
-+.B icecast_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type icecast_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type icecast_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B icecast_log_t
@@ -35143,6 +37858,22 @@ index 0000000..4b3b988
+ /var/run/icecast(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the icecast_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the icecast_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -35169,33 +37900,46 @@ index 0000000..4b3b988
\ No newline at end of file
diff --git a/man/man8/ifconfig_selinux.8 b/man/man8/ifconfig_selinux.8
new file mode 100644
-index 0000000..ae147cb
+index 0000000..2d4fc17
--- /dev/null
+++ b/man/man8/ifconfig_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,116 @@
+.TH "ifconfig_selinux" "8" "ifconfig" "dwalsh at redhat.com" "ifconfig SELinux Policy documentation"
+.SH "NAME"
+ifconfig_selinux \- Security Enhanced Linux Policy for the ifconfig processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ifconfig processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ifconfig processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ifconfig processes execute with the ifconfig_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ifconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep ifconfig_t
+
++
++.SH "ENTRYPOINTS"
++
++The ifconfig_t SELinux type can be entered via the "ifconfig_exec_t" file type. The default entrypoint paths for the ifconfig_t domain are the following:"
++
++/usr/sbin/ipx_internal_net, /sbin/ipx_configure, /sbin/tc, /usr/sbin/ipx_configure, /usr/sbin/iwconfig, /usr/sbin/ipx_interface, /usr/sbin/mii-tool, /usr/sbin/ethtool, /usr/sbin/ifconfig, /sbin/ipx_interface, /bin/ip, /usr/bin/ip, /sbin/iwconfig, /usr/sbin/tc, /sbin/ifconfig, /sbin/mii-tool, /sbin/ethtool, /usr/sbin/ip, /sbin/ip, /sbin/ipx_internal_net
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ifconfig_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ifconfig policy is very flexible allowing users to setup their ifconfig processes in as secure a method as possible.
++.PP
++The following process types are defined for ifconfig:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ifconfig_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -35227,27 +37971,9 @@ index 0000000..ae147cb
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ifconfig policy is very flexible allowing users to setup their ifconfig processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ifconfig:
-+
-+.EX
-+.B ifconfig_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ifconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ifconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ipsec_var_run_t
@@ -35259,6 +37985,22 @@ index 0000000..ae147cb
+ /var/run/racoon\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ifconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ifconfig_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -35280,33 +38022,46 @@ index 0000000..ae147cb
+selinux(8), ifconfig(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/inetd_child_selinux.8 b/man/man8/inetd_child_selinux.8
new file mode 100644
-index 0000000..92e550a
+index 0000000..023a91f
--- /dev/null
+++ b/man/man8/inetd_child_selinux.8
-@@ -0,0 +1,148 @@
+@@ -0,0 +1,159 @@
+.TH "inetd_child_selinux" "8" "inetd_child" "dwalsh at redhat.com" "inetd_child SELinux Policy documentation"
+.SH "NAME"
+inetd_child_selinux \- Security Enhanced Linux Policy for the inetd_child processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the inetd_child processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the inetd_child processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The inetd_child processes execute with the inetd_child_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep inetd_child_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The inetd_child_t SELinux type can be entered via the "inetd_child_exec_t" file type. The default entrypoint paths for the inetd_child_t domain are the following:"
++
++/usr/sbin/identd, /usr/local/lib/pysieved/pysieved.*\.py, /usr/sbin/in\..*d
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the inetd_child_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux inetd_child policy is very flexible allowing users to setup their inetd_child processes in as secure a method as possible.
++.PP
++The following process types are defined for inetd_child:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B inetd_child_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -35379,27 +38134,9 @@ index 0000000..92e550a
+.EE
+udp 1,9,13,19,891,892
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux inetd_child policy is very flexible allowing users to setup their inetd_child processes in as secure a method as possible.
-+.PP
-+The following process types are defined for inetd_child:
-+
-+.EX
-+.B inetd_child_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type inetd_child_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type inetd_child_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B inetd_child_tmp_t
@@ -35409,6 +38146,22 @@ index 0000000..92e550a
+.B inetd_child_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the inetd_child_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -35431,37 +38184,50 @@ index 0000000..92e550a
+
+.SH "SEE ALSO"
+selinux(8), inetd_child(8), semanage(8), restorecon(8), chcon(1)
-+, inetd_selinux(8)
++, inetd_selinux(8), inetd_selinux(8)
\ No newline at end of file
diff --git a/man/man8/inetd_selinux.8 b/man/man8/inetd_selinux.8
new file mode 100644
-index 0000000..17de539
+index 0000000..a6b61ac
--- /dev/null
+++ b/man/man8/inetd_selinux.8
-@@ -0,0 +1,198 @@
+@@ -0,0 +1,209 @@
+.TH "inetd_selinux" "8" "inetd" "dwalsh at redhat.com" "inetd SELinux Policy documentation"
+.SH "NAME"
+inetd_selinux \- Security Enhanced Linux Policy for the inetd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the inetd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the inetd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The inetd processes execute with the inetd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the inetd_t, inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep inetd_t
++
++
++.SH "ENTRYPOINTS"
+
++The inetd_t SELinux type can be entered via the "inetd_exec_t" file type. The default entrypoint paths for the inetd_t domain are the following:"
++
++/usr/sbin/inetd, /usr/sbin/xinetd, /usr/sbin/rlinetd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the inetd_t, inetd_child_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible.
++.PP
++The following process types are defined for inetd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B inetd_t, inetd_child_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -35570,27 +38336,9 @@ index 0000000..17de539
+.EE
+udp 1,9,13,19,891,892
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for inetd:
-+
-+.EX
-+.B inetd_t, inetd_child_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type inetd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type inetd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B inetd_log_t
@@ -35614,6 +38362,22 @@ index 0000000..17de539
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the inetd_t, inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the inetd_t, inetd_child_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -35640,51 +38404,46 @@ index 0000000..17de539
\ No newline at end of file
diff --git a/man/man8/init_selinux.8 b/man/man8/init_selinux.8
new file mode 100644
-index 0000000..a2f10a4
+index 0000000..57563a1
--- /dev/null
+++ b/man/man8/init_selinux.8
-@@ -0,0 +1,483 @@
+@@ -0,0 +1,473 @@
+.TH "init_selinux" "8" "init" "dwalsh at redhat.com" "init SELinux Policy documentation"
+.SH "NAME"
+init_selinux \- Security Enhanced Linux Policy for the init processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the init processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the init processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. init policy is extremely flexible and has several booleans that allow you to manipulate the policy and run init with the tightest access possible.
++The init processes execute with the init_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to enable support for upstart as the init program, you must turn on the init_upstart boolean.
++.B ps -eZ | grep init_t
+
-+.EX
-+.B setsebool -P init_upstart 1
-+.EE
+
-+.PP
-+If you want to enable support for systemd as the init program, you must turn on the init_systemd boolean.
++.SH "ENTRYPOINTS"
+
-+.EX
-+.B setsebool -P init_systemd 1
-+.EE
-+
-+.SH NSSWITCH DOMAIN
++The init_t SELinux type can be entered via the "init_exec_t" file type. The default entrypoint paths for the init_t domain are the following:"
+
++/usr/sbin/init(ng)?, /sbin/init(ng)?, /bin/systemd, /usr/lib/systemd/system-generators/[^/]*, /usr/bin/systemd, /sbin/upstart, /usr/sbin/upstart, /usr/lib/systemd/[^/]*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the init_t, initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
+.PP
-+If you want to allow confined applications to run with kerberos for the init_t, initrc_t, you must turn on the kerberos_enabled boolean.
++Policy governs the access confined processes have to files.
++SELinux init policy is very flexible allowing users to setup their init processes in as secure a method as possible.
++.PP
++The following process types are defined for init:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B initrc_t, init_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -35796,27 +38555,9 @@ index 0000000..a2f10a4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux init policy is very flexible allowing users to setup their init processes in as secure a method as possible.
-+.PP
-+The following process types are defined for init:
-+
-+.EX
-+.B initrc_t, init_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B binfmt_misc_fs_t
@@ -36104,6 +38845,22 @@ index 0000000..a2f10a4
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the init_t, initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the init_t, initrc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -36114,9 +38871,6 @@ index 0000000..a2f10a4
+.B semanage module
+can also be used to enable/disable/install/remove policy modules.
+
-+.B semanage boolean
-+can also be used to manipulate the booleans
-+
+.PP
+.B system-config-selinux
+is a GUI tool available to customize SELinux policy settings.
@@ -36126,37 +38880,50 @@ index 0000000..a2f10a4
+
+.SH "SEE ALSO"
+selinux(8), init(8), semanage(8), restorecon(8), chcon(1)
-+, setsebool(8), initrc_selinux(8)
++, initrc_selinux(8)
\ No newline at end of file
diff --git a/man/man8/initrc_selinux.8 b/man/man8/initrc_selinux.8
new file mode 100644
-index 0000000..5016301
+index 0000000..a647e30
--- /dev/null
+++ b/man/man8/initrc_selinux.8
-@@ -0,0 +1,816 @@
+@@ -0,0 +1,827 @@
+.TH "initrc_selinux" "8" "initrc" "dwalsh at redhat.com" "initrc SELinux Policy documentation"
+.SH "NAME"
+initrc_selinux \- Security Enhanced Linux Policy for the initrc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the initrc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the initrc processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The initrc processes execute with the initrc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep initrc_t
++
++
++.SH "ENTRYPOINTS"
++
++The initrc_t SELinux type can be entered via the "puppetmaster_initrc_exec_t,collectd_initrc_exec_t,httpd_initrc_exec_t,kdump_initrc_exec_t,bin_t,dovecot_initrc_exec_t,zebra_initrc_exec_t,lldpad_initrc_exec_t,munin_initrc_exec_t,soundd_initrc_exec_t,uuidd_initrc_exec_t,postfix_initrc_exec_t,ctdbd_initrc_exec_t,glusterd_initrc_exec_t,saslauthd_initrc_exec_t,postgresql_initrc_exec_t,kerberos_initrc_exec_t,apcupsd_initrc_exec_t,cupsd_initrc_exec_t,ksmtuned_initrc_exec_t,tuned_initrc_exec_t,fsdaemon_initrc_exec_t,tgtd_initrc_exec_t,exim_initrc_exec_t,ajaxterm_initrc_exec_t,hddtemp_initrc_exec_t,tcsd_initrc_exec_t,rhsmcertd_initrc_exec_t,svnserve_initrc_exec_t,ftpd_initrc_exec_t,aisexec_initrc_exec_t,auditd_initrc_exec_t,shorewall_initrc_exec_t,wdmd_initrc_exec_t,likewise_initrc_exec_t,cfengine_initrc_exec_t,initrc_exec_t,postgrey_initrc_exec_t,avahi_initrc_exec_t,gpsd_initrc_exec_t,privoxy_initrc_exec_t,nagios_initrc_exec_t,shell_exec_t,cgred_initrc_exec_t,rgmanager_initrc_exec
_t,tor_initrc_exec_t,radvd_initrc_exec_t,abrt_initrc_exec_t,ipsec_initrc_exec_t,puppet_initrc_exec_t,named_initrc_exec_t,psad_initrc_exec_t,pppd_initrc_exec_t,canna_initrc_exec_t,squid_initrc_exec_t,firewalld_initrc_exec_t,cvs_initrc_exec_t,samba_initrc_exec_t,pacemaker_initrc_exec_t,afs_initrc_exec_t,amavis_initrc_exec_t,spamd_initrc_exec_t,nis_initrc_exec_t,arpwatch_initrc_exec_t,mpd_initrc_exec_t,callweaver_initrc_exec_t,pads_initrc_exec_t,qpidd_initrc_exec_t,smokeping_initrc_exec_t,bcfg2_initrc_exec_t,mscan_initrc_exec_t,rwho_initrc_exec_t,l2tpd_initrc_exec_t,portreserve_initrc_exec_t,icecast_initrc_exec_t,rpcd_initrc_exec_t,NetworkManager_initrc_exec_t,nslcd_initrc_exec_t,slpd_initrc_exec_t,jabberd_initrc_exec_t,memcached_initrc_exec_t,vhostmd_initrc_exec_t,certmaster_initrc_exec_t,mysqld_initrc_exec_t,crond_initrc_exec_t,fail2ban_initrc_exec_t,sssd_initrc_exec_t,zabbix_initrc_exec_t,sshd_initrc_exec_t,dspam_initrc_exec_t,asterisk_initrc_exec_t,setrans_initrc_exec_t,cor
osync_initrc_exec_t,cmirrord_initrc_exec_t,ypbind_initrc_exec_t,iptables_initrc_exec_t,clvmd_initrc_exec_t,dhcpc_helper_exec_t,prelude_initrc_exec_t,rpcbind_initrc_exec_t,sendmail_initrc_exec_t,dnsmasq_initrc_exec_t,cobblerd_initrc_exec_t,bitlbee_initrc_exec_t,sanlock_initrc_exec_t,slapd_initrc_exec_t,clamd_initrc_exec_t,syslogd_initrc_exec_t,ulogd_initrc_exec_t,glance_api_initrc_exec_t,ntop_initrc_exec_t,ntpd_initrc_exec_t,polipo_initrc_exec_t,nscd_initrc_exec_t,openvpn_initrc_exec_t,bluetooth_initrc_exec_t,chronyd_initrc_exec_t,boinc_initrc_exec_t,nfsd_initrc_exec_t,denyhosts_initrc_exec_t,cgconfig_initrc_exec_t,mongod_initrc_exec_t,automount_initrc_exec_t,roundup_initrc_exec_t,zoneminder_initrc_exec_t,certmonger_initrc_exec_t,ddclient_initrc_exec_t,dictd_initrc_exec_t,snort_initrc_exec_t,ricci_initrc_exec_t,snmpd_initrc_exec_t,innd_initrc_exec_t,pingd_initrc_exec_t,iwhd_initrc_exec_t,radiusd_initrc_exec_t,aiccu_initrc_exec_t,dhcpd_initrc_exec_t,lircd_initrc_exec_t,mysqlma
nagerd_initrc_exec_t,cyrus_initrc_exec_t,varnishd_initrc_exec_t,virtd_initrc_exec_t,varnishlog_initrc_exec_t,zabbix_agent_initrc_exec_t,piranha_pulse_initrc_exec_t,glance_registry_initrc_exec_t" file types. The default entrypoint paths for the initrc_t domain are the following:"
+
++/etc/rc\.d/init\.d/puppetmaster, /etc/rc\.d/init\.d/collectd, /etc/init\.d/cherokee, /etc/rc\.d/init\.d/httpd, /etc/rc\.d/init\.d/lighttpd, /etc/rc\.d/init\.d/kdump, /etc/ppp/ip-up\..*, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /usr/lib/virtualbox/VBoxManage, /usr/lib/.*/scripts(/.*)?, /etc/ppp/ip-down\..*, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/shorewall-perl(/.*)?, /usr/Brother(/.*)?, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/lib/mailman.*/mail(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/share/cluster/ocf-shellfuncs, /bin, /usr/lib/.*/program(/.*)?, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/apr-0/build/libtool, /usr/lib/pm-utils(/.*)?, /etc/sysconfig/network-scripts/net.*, /usr/share/system-config-language/system-config-language, /usr/lib/vte/gnome-pty-helper, /etc/lxdm/Pre.*, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/nagios/plugins(/.*)?, /usr/share/PackageKit/helpers(/.*)?, /usr/share/e1
6/misc(/.*)?, /usr/lib/fence(/.*)?, /etc/sysconfig/network-scripts/init.*, /usr/lib/xulrunner[^/]*/updater, /etc/mcelog/cache-error-trigger, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-netboot/pxeos\.py, /usr/share/cluster/.*\.sh, /usr/lib/udev/devices/MAKEDEV, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/mc/extfs/.*, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /var/qmail/rc, /var/mailman.*/bin(/.*)?, /usr/share/system-config-nfs/system-config-nfs\.py, /sbin, /usr/share/texmf/web2c/mktexupd, /usr/lib/readahead(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/xen/bin(/.*)?, /usr/share/Modules/init(/.*)?, /var/qmail/bin, /opt/google/talkplugin(/.*)?, /etc/profile.d(/.*)?, /usr/share/hwbrowser/hwbrowser, /usr/share/dayplanner/dayplanner, /usr/lib/nspluginwrapper/np.*, /usr/share/printconf/util/print\.py, /usr/lib/[^/]*/run-mozilla\.sh, /usr/linuxprinter/filters(/.*)?, /usr/share/system-config-network/neat-control\.py, /usr/lib/[^/]*/mozilla-xremote-c
lient, /usr/share/hal/scripts(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/share/system-config-selinux/polgen\.py, /usr/lib(.*/)?sbin(/.*)?, /lib/udev/devices/MAKEDEV, /etc/vmware-tools(/.*)?, /etc/PackageKit/events(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /usr/share/sectool/.*\.py, /etc/pki/tls/certs/make-dummy-cert, /usr/lib/rpm/rpmd, /usr/lib/tuned/.*/.*\.sh, /usr/share/cluster/svclib_nfslock, /usr/libexec(/.*)?, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/apr-0/build/[^/]+\.sh, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /bin/mountpoint, /usr/share/rhn/rhn_applet/needed-packages\.py, /lib/security/pam_krb5(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/rpm/rpmk, /etc/apcupsd/commok, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/clamav/freshclam-sleep, /usr/lib/mediawiki/math/texvc.*, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/xfce4(/.*)?, /usr/share/system-config-services/system-config-services, /opt/(.*/)?libexec(/.*)?, /emul/ia32-linu
x/usr(/.*)?/Bin(/.*)?, /usr/lib/debug/sbin(/.*)?, /etc/sysconfig/libvirtd, /etc/cron.weekly(/.*)?, /usr/lib/ccache/bin(/.*)?, /sbin/.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /usr/lib/yp/.+, /usr/share/wicd/daemon(/.*)?, /etc/ppp/ipv6-up\..*, /etc/acpi/actions(/.*)?, /etc/sysconfig/network-scripts/ifdown.*, /usr/share/cluster/SAPDatabase, /usr/share/system-config-soundcard/system-config-soundcard, /usr/lib/udev/scsi_id, /etc/pm/power\.d(/.*)?, /usr/share/system-config-services/gui\.py, /etc/lxdm/Xsession, /usr/lib/cyrus-imapd/.*, /usr/sbin/insmod_ksymoops_clean, /etc/cipe/ip-down.*, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/share/shorewall/compiler\.pl, /usr/share/pydict/pydict\.py, /dev/MAKEDEV, /usr/share/shorewall-shell(/.*)?, /emul/ia32-linux/bin(/.*)?, /root/bin(/.*)?, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/system-config-selinux\.py, /etc/ppp/ipv6-down\..*, /usr/share/pwlib/make/ptlib
-config, /usr/lib/ConsoleKit/scripts(/.*)?, /opt/(.*/)?bin(/.*)?, /etc/init\.d/functions, /lib/readahead(/.*)?, /etc/apcupsd/apccontrol, /usr/share/system-config-samba/system-config-samba\.py, /usr/lib/misc/sftp-server, /etc/apcupsd/onbattery, /usr/lib/qt.*/bin(/.*)?, /usr/share/cvs/contrib/rcs2log, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/fedora-usermgmt/wrapper, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/share/ssl/misc(/.*)?, /etc/apcupsd/changeme, /etc/apcupsd/offbattery, /etc/apcupsd/commfailure, /etc/sysconfig/readonly-root, /etc/cron.monthly(/.*)?, /var/ftp/bin(/.*)?, /usr/lib/xfce4/xfwm4/helper-dialog, /usr/lib/iscan/network, /usr/share/shorewall-lite(/.*)?, /usr/Printer(/.*)?, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/lib/news/bin(/.*)?, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-netboot/pxeboot\.
py, /etc/auto\.[^/]*, /usr/Brother/(.*/)?inf/brprintconf.*, /etc/apcupsd/masterconnect, /etc/avahi/.*\.action, /usr/lib/netsaint/plugins(/.*)?, /usr/share/authconfig/authconfig-tui\.py, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/lib/dracut(/.*)?, /usr/share/kde4/apps/kajongg/kajongg.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/selinux/devel/policygentool, /etc/mail/make, /usr/lib/debug/usr/libexec(/.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/libexec/openssh/sftp-server, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/chromium-browser(/.*)?, /etc/sysconfig/init, /usr/share/system-logviewer/system-logviewer\.py, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /usr/lib/wicd/monitor\.py, /etc/pki/tls/misc(/.*)?, /etc/cron.hourly(/.*)?, /etc/xen/qemu-ifup, /usr/share/system-config-services/serviceconf\.py, /usr/share/tucan.*/tucan.py, /usr/lib/portage/bin(/.*)?, /etc/lxdm/L
oginReady, /etc/mcelog/triggers(/.*)?, /usr/share/texmf/web2c/mktexnam, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/apt/methods.+, /etc/rc\.d/init\.d/functions, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /etc/kde/shutdown(/.*)?, /usr/lib/cups(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /usr/share/gnucash/finance-quote-helper, /etc/cron.daily(/.*)?, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/lib/rpm/rpmv, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/munin/plugins(/.*)?, /usr/share/clamav/clamd-gen, /etc/lxdm/Post.*, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /etc/hotplug/.*agent, /usr/lib/emacsen-common/.*, /usr/lib/jvm/java(.*/)bin(/.*), /etc/sysconfig/network-scripts/ifup.*, /usr/lib/xfce4/xfconf/xfconfd, /usr/lib/MailScanner(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/share/ajaxterm/qweb.py.*, /usr/share/switchdesk/switchdesk-gui\.py, /usr/lib/ipsec/.*, /usr/share/turboprint/lib(/.*)?, /usr/sbin/mkfs\.cramfs, /var/qmail/bin(/.*)?, /etc/sysconfig/cron
d, /usr/share/hplip/[^/]*, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/debconf/.+, /usr/share/shorewall/configpath, /usr/bin/pingus.*, /etc/hotplug/hotplug\.functions, /usr/lib/mailman.*/bin(/.*)?, /usr/share/texmf/web2c/mktexdir, /usr/share/gnucash/finance-quote-check, /etc/redhat-lsb(/.*)?, /usr/X11R6/lib/X11/xkb/xkbcomp, /etc/gdm/[^/]+, /opt/google/chrome(/.*)?, /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/dpkg/.+, /usr/share/sandbox/sandboxX.sh, /etc/cipe/ip-up.*, /usr/lib/udev/[^/]*, /usr/bin/mountpoint, /lib/udev/scsi_id, /bin/.*, /emul/ia32-linux/sbin(/.*)?, /var/lib/iscan/interpreter, /etc/dhcp/dhclient\.d(/.*)?, /etc/racoon/scripts(/.*)?, /opt/(.*/)?sbin(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/spamassassin/sa-update\.cron, /usr/share/rhn/rhn_applet/applet\.py, /etc/X11/xdm/TakeConsole, /usr/(.*/)?sbin(/.*)?, /etc/X11/xinit(/.*)?, /usr/share/shorewall/getparams, /usr/share/cluster/checkquorum, /etc/X11/xdm/GiveConsole, /usr/lib/xfce4/session/xfsm-sh
utdown-helper, /lib/upstart(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/gdm/[^/]+/.*, /usr/share/system-config-httpd/system-config-httpd, /usr/lib/upstart(/.*)?, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/system-config-users/system-config-users, /etc/mgetty\+sendfax/new_fax, /usr/lib/debug/bin(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /etc/hotplug/.*rc, /usr/lib/courier(/.*)?, /etc/X11/xdm/Xsetup_0, /etc/netplug\.d(/.*)?, /usr/Brother/(.*/)?inf/setup.*, /usr/lib/xfce4/session/balou-install-theme, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/smolt/client(/.*)?, /usr/bin, /etc/sysconfig/netconsole, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/xfce4/panel/migrate, /usr/share/ajaxterm/ajaxterm.py.*, /sbin/mkfs\.cramfs, /usr/share/authconfig/authconfig\.py, /usr/share/system-config-date/system-config-date\.py, /usr/share/virtualbox/.*\.sh, /etc/apcupsd/mastertimeout, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/texmf/texc
onfig/tcfmgr, /etc/kde/env(/.*)?, /usr/lib/rpm/rpmq, /sbin/insmod_ksymoops_clean, /usr/lib/xfce4/panel/wrapper, /usr/share/system-config-printer/applet\.py, /etc/hotplug\.d/default/default.*, /usr/lib(.*/)?bin(/.*)?, /usr/share/gitolite/hooks/common/update, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /usr/lib/sftp-server, /usr/share/system-config-display/system-config-display, /lib/udev/[^/]*, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/denyhosts/scripts(/.*)?, /usr/share/createrepo(/.*)?, /usr/lib/yaboot/addnote, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/share/cluster/SAPInstance, /etc/rc\.d/init\.d/dovecot, /etc/rc\.d/init\.d/ripd, /etc/rc\.d/init\.d/ripngd, /etc/rc\.d/init\.d/zebra, /etc/rc\.d/init\.d/bgpd, /etc/rc\.d/init\.d/ospf6d, /etc/rc\.d/init\.d/ospfd, /etc/rc\.d/init\.d/lldpad, /etc/rc\.d/init\.d/munin-node, /etc/rc\.d/init\.d/nasd, /etc/rc\.d/init\.d/uuidd, /etc/rc\.d/init\.d/postfix, /etc/rc\.d/init\.d/ctdb, /usr/sbin/glusterd, /etc/rc\.d/init\.d/gluster
d, /etc/rc\.d/init\.d/sasl, /etc/rc\.d/init\.d/(se)?postgresql, /etc/rc\.d/init\.d/krb5kdc, /etc/rc\.d/init\.d/kprop, /etc/rc\.d/init\.d/kadmind, /etc/rc\.d/init\.d/krb524d, /etc/rc\.d/init\.d/apcupsd, /etc/rc\.d/init\.d/cups, /etc/rc\.d/init\.d/ksmtuned, /etc/rc\.d/init\.d/tuned, /etc/rc\.d/init\.d/smartd, /etc/rc\.d/init\.d/tgtd, /etc/rc\.d/init\.d/exim, /etc/rc\.d/init\.d/ajaxterm, /etc/rc\.d/init\.d/hddtemp, /etc/rc\.d/init\.d/tcsd, /etc/rc\.d/init\.d/rhsmcertd, /etc/rc.d/init.d/svnserve, /etc/rc\.d/init\.d/proftpd, /etc/rc\.d/init\.d/vsftpd, /etc/rc\.d/init\.d/openais, /etc/rc\.d/init\.d/auditd, /etc/rc\.d/init\.d/shorewall, /etc/rc\.d/init\.d/shorewall-lite, /etc/rc\.d/init\.d/wdmd, /etc/rc\.d/init\.d/eventlogd, /etc/rc\.d/init\.d/dcerpcd, /etc/rc\.d/init\.d/lwregd, /etc/rc\.d/init\.d/lwiod, /etc/rc\.d/init\.d/lsassd, /etc/rc\.d/init\.d/netlogond, /etc/rc\.d/init\.d/srvsvcd, /etc/rc\.d/init\.d/lwsmd, /etc/rc\.d/init\.d/cf-serverd, /etc/rc\.d/init\.d/cf-execd, /etc/rc\.
d/init\.d/cf-monitord, /usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/restart-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/share/system-config-services/system-config-services-mechanism\.py, /usr/sbin/apachectl, /etc/init\.d/.*, /usr/bin/sepg_ctl, /etc/rc\.d/init\.d/postgrey, /etc/rc\.d/init\.d/avahi.*, /etc/rc\.d/init\.d/gpsd, /etc/rc\.d/init\.d/privoxy, /etc/rc\.d/init\.d/nagios, /etc/rc\.d/init\.d/nrpe, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin
/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /etc/rc\.d/init\.d/cgred, /etc/rc\.d/init\.d/rgmanager, /etc/rc\.d/init\.d/cpglockd, /etc/rc\.d/init\.d/heartbeat, /etc/rc\.d/init\.d/tor, /etc/rc\.d/init\.d/radvd, /etc/rc\.d/init\.d/abrt, /etc/rc\.d/init\.d/racoon, /etc/rc\.d/init\.d/ipsec, /etc/rc\.d/init\.d/puppet, /etc/rc\.d/init\.d/named, /etc/rc\.d/init\.d/unbound, /etc/rc\.d/init\.d/psad, /etc/rc\.d/init\.d/ppp, /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc\.d/init\.d/canna, /etc/rc\.d/init\.d/squid, /etc/rc\.d/init\.d/firewalld, /etc/rc\.d/init\.d/nmb, /etc/rc\.d/init\.d/smb, /etc/rc\.d/init\.d/winbind, /etc/rc\.d/init\.d/pacemaker, /etc/rc\.d/init\.d/afs, /etc/rc\.d/init\.d/openafs-client, /etc/rc\.d/init\.d/amavis, /etc/rc\.d/init\.d/amavisd-snmp, /etc/rc\.d/init\.d/spampd, /etc/rc\.d/init\.d/pyzord, /etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/mimedefang.*, /etc/rc\.d/init\.d/ypserv, /etc/rc\.d/init\.d/y
pxfrd, /etc/rc\.d/init\.d/yppasswd, /etc/rc\.d/init\.d/arpwatch, /etc/rc\.d/init\.d/mpd, /etc/rc\.d/init\.d/callweaver, /etc/rc\.d/init\.d/pads, /etc/rc\.d/init\.d/qpidd, /etc/rc\.d/init\.d/smokeping, /etc/rc\.d/init\.d/bcfg2, /etc/rc\.d/init\.d/MailScanner, /etc/rc\.d/init\.d/rwhod, /etc/rc\.d/init\.d/xl2tpd, /etc/rc\.d/init\.d/prol2tpd, /etc/rc\.d/init\.d/openl2tpd, /etc/rc\.d/init\.d/portreserve, /etc/rc\.d/init\.d/icecast, /etc/rc\.d/init\.d/nfslock, /etc/rc\.d/init\.d/rpcidmapd, /etc/rc\.d/init\.d/wicd, /etc/NetworkManager/dispatcher\.d(/.*)?, /usr/libexec/nm-dispatcher.action, /etc/rc\.d/init\.d/nslcd, /etc/rc\.d/init\.d/slpd, /etc/rc\.d/init\.d/jabberd, /etc/rc\.d/init\.d/memcached, /etc/rc.d/init.d/vhostmd, /etc/rc\.d/init\.d/certmaster, /etc/rc\.d/init\.d/mysqld, /etc/rc\.d/init\.d/atd, /etc/rc\.d/init\.d/fail2ban, /etc/rc\.d/init\.d/sssd, /etc/rc\.d/init\.d/zabbix-server, /etc/rc\.d/init\.d/zabbix, /etc/rc\.d/init\.d/sshd, /etc/rc\.d/init\.d/dspam, /etc/rc\.d/init\
.d/asterisk, /etc/rc\.d/init\.d/mcstrans, /etc/rc\.d/init\.d/corosync, /etc/rc\.d/init\.d/cmirrord, /etc/rc\.d/init\.d/ypbind, /etc/rc\.d/init\.d/ebtables, /etc/rc\.d/init\.d/ip6?tables, /etc/firestarter/firestarter\.sh, /etc/rc\.d/init\.d/prelude-correlator, /etc/rc\.d/init\.d/prelude-manager, /etc/rc\.d/init\.d/prelude-lml, /etc/rc\.d/init\.d/rpcbind, /etc/rc\.d/init\.d/sendmail, /etc/rc\.d/init\.d/dnsmasq, /etc/rc\.d/init\.d/cobblerd, /etc/rc\.d/init\.d/bitlbee, /etc/rc\.d/init\.d/sanlock, /etc/rc\.d/init\.d/slapd, /etc/rc\.d/init\.d/clamd-wrapper, /etc/rc\.d/init\.d/rsyslog, /etc/rc\.d/init\.d/ulogd, /etc/rc\.d/init\.d/openstack-glance-api, /etc/rc\.d/init\.d/ntpd, /etc/rc\.d/init\.d/polipo, /etc/rc\.d/init\.d/nscd, /etc/rc\.d/init\.d/openvpn, /etc/rc\.d/init\.d/dund, /etc/rc\.d/init\.d/bluetooth, /etc/rc\.d/init\.d/pand, /etc/rc\.d/init\.d/chronyd, /etc/rc\.d/init\.d/boinc-client, /etc/rc\.d/init\.d/nfs, /etc/rc\.d/init\.d/denyhosts, /etc/rc\.d/init\.d/cgconfig, /etc/rc
\.d/init\.d/mongod, /etc/rc\.d/init\.d/autofs, /etc/rc\.d/init\.d/roundup, /etc/rc\.d/init\.d/motion, /etc/rc\.d/init\.d/zoneminder, /etc/rc\.d/init\.d/certmonger, /etc/rc\.d/init\.d/ddclient, /etc/rc\.d/init\.d/dictd, /etc/rc\.d/init\.d/snortd, /etc/rc\.d/init\.d/ricci, /etc/rc\.d/init\.d/snmpd, /etc/rc\.d/init\.d/snmptrapd, /etc/rc\.d/init\.d/innd, /etc/rc\.d/init\.d/whatsup-pingd, /etc/rc\.d/init\.d/iwhd, /etc/rc\.d/init\.d/radiusd, /etc/rc\.d/init\.d/aiccu, /etc/rc\.d/init\.d/dhcpd(6)?, /etc/rc\.d/init\.d/lirc, /etc/rc\.d/init\.d/mysqlmanager, /etc/rc\.d/init\.d/cyrus, /etc/rc\.d/init\.d/varnish, /etc/rc\.d/init\.d/libvirtd, /etc/rc\.d/init\.d/varnishlog, /etc/rc\.d/init\.d/varnishncsa, /etc/rc\.d/init\.d/zabbix-agentd, /etc/rc\.d/init\.d/pulse, /etc/rc\.d/init\.d/openstack-glance-registry
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the initrc_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible.
++.PP
++The following process types are defined for initrc:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B initrc_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -36232,27 +38999,9 @@ index 0000000..5016301
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for initrc:
-+
-+.EX
-+.B initrc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type initrc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type initrc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B abrt_var_run_t
@@ -36930,6 +39679,22 @@ index 0000000..5016301
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the initrc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -36953,19 +39718,46 @@ index 0000000..5016301
\ No newline at end of file
diff --git a/man/man8/innd_selinux.8 b/man/man8/innd_selinux.8
new file mode 100644
-index 0000000..fa3b786
+index 0000000..a295729
--- /dev/null
+++ b/man/man8/innd_selinux.8
-@@ -0,0 +1,177 @@
+@@ -0,0 +1,188 @@
+.TH "innd_selinux" "8" "innd" "dwalsh at redhat.com" "innd SELinux Policy documentation"
+.SH "NAME"
+innd_selinux \- Security Enhanced Linux Policy for the innd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the innd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the innd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The innd processes execute with the innd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep innd_t
++
++
++.SH "ENTRYPOINTS"
++
++The innd_t SELinux type can be entered via the "innd_exec_t" file type. The default entrypoint paths for the innd_t domain are the following:"
++
++/usr/bin/suck, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/convdate, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /usr/lib/news/bin/ovdb_recover, /etc/news/boot, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/expireover, /usr/bin/rnews, /usr/lib/news/bin/innd, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/makedbz, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/l
ib/news/bin/inews, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/inndf
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible.
++.PP
++The following process types are defined for innd:
++
++.EX
++.B innd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -37064,27 +39856,9 @@ index 0000000..fa3b786
+Default Defined Ports:
+tcp 119
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for innd:
-+
-+.EX
-+.B innd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type innd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type innd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B innd_log_t
@@ -37112,6 +39886,8 @@ index 0000000..fa3b786
+ /var/spool/news(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -37136,50 +39912,63 @@ index 0000000..fa3b786
+selinux(8), innd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/insmod_selinux.8 b/man/man8/insmod_selinux.8
new file mode 100644
-index 0000000..8c6dfee
+index 0000000..13c6e2d
--- /dev/null
+++ b/man/man8/insmod_selinux.8
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,182 @@
+.TH "insmod_selinux" "8" "insmod" "dwalsh at redhat.com" "insmod SELinux Policy documentation"
+.SH "NAME"
+insmod_selinux \- Security Enhanced Linux Policy for the insmod processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the insmod processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the insmod processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. insmod policy is extremely flexible and has several booleans that allow you to manipulate the policy and run insmod with the tightest access possible.
++The insmod processes execute with the insmod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean.
++.B ps -eZ | grep insmod_t
+
-+.EX
-+.B setsebool -P secure_mode_insmod 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The insmod_t SELinux type can be entered via the "insmod_exec_t" file type. The default entrypoint paths for the insmod_t domain are the following:"
++
++/sbin/rmmod.*, /sbin/modprobe.*, /sbin/insmod.*, /usr/sbin/modprobe.*, /usr/bin/kmod, /usr/sbin/insmod.*, /usr/sbin/rmmod.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux insmod policy is very flexible allowing users to setup their insmod processes in as secure a method as possible.
++.PP
++The following process types are defined for insmod:
+
+.EX
-+.B setsebool -P pppd_can_insmod 1
++.B insmod_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. insmod policy is extremely flexible and has several booleans that allow you to manipulate the policy and run insmod with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the insmod_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P secure_mode_insmod 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the insmod_t, you must turn on the kerberos_enabled boolean.
++If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P pppd_can_insmod 1
+.EE
+
+.SH FILE CONTEXTS
@@ -37220,27 +40009,9 @@ index 0000000..8c6dfee
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux insmod policy is very flexible allowing users to setup their insmod processes in as secure a method as possible.
-+.PP
-+The following process types are defined for insmod:
-+
-+.EX
-+.B insmod_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type insmod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type insmod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B initrc_tmp_t
@@ -37288,6 +40059,22 @@ index 0000000..8c6dfee
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the insmod_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the insmod_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -37314,33 +40101,46 @@ index 0000000..8c6dfee
\ No newline at end of file
diff --git a/man/man8/ipsec_mgmt_selinux.8 b/man/man8/ipsec_mgmt_selinux.8
new file mode 100644
-index 0000000..1d7bb54
+index 0000000..c9b623b
--- /dev/null
+++ b/man/man8/ipsec_mgmt_selinux.8
-@@ -0,0 +1,180 @@
+@@ -0,0 +1,191 @@
+.TH "ipsec_mgmt_selinux" "8" "ipsec_mgmt" "dwalsh at redhat.com" "ipsec_mgmt SELinux Policy documentation"
+.SH "NAME"
+ipsec_mgmt_selinux \- Security Enhanced Linux Policy for the ipsec_mgmt processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ipsec_mgmt processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ipsec_mgmt processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ipsec_mgmt processes execute with the ipsec_mgmt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep ipsec_mgmt_t
+
++
++.SH "ENTRYPOINTS"
++
++The ipsec_mgmt_t SELinux type can be entered via the "shell_exec_t,ipsec_mgmt_exec_t" file types. The default entrypoint paths for the ipsec_mgmt_t domain are the following:"
++
++/usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh, /usr/lib/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service, /usr/sbin/ipsec, /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ipsec_mgmt_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ipsec_mgmt policy is very flexible allowing users to setup their ipsec_mgmt processes in as secure a method as possible.
++.PP
++The following process types are defined for ipsec_mgmt:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ipsec_mgmt_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -37388,27 +40188,9 @@ index 0000000..1d7bb54
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ipsec_mgmt policy is very flexible allowing users to setup their ipsec_mgmt processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ipsec_mgmt:
-+
-+.EX
-+.B ipsec_mgmt_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ipsec_mgmt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ipsec_mgmt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ipsec_key_file_t
@@ -37478,6 +40260,22 @@ index 0000000..1d7bb54
+ /etc/ethers
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ipsec_mgmt_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -37497,37 +40295,50 @@ index 0000000..1d7bb54
+
+.SH "SEE ALSO"
+selinux(8), ipsec_mgmt(8), semanage(8), restorecon(8), chcon(1)
-+, ipsec_selinux(8)
++, ipsec_selinux(8), ipsec_selinux(8)
\ No newline at end of file
diff --git a/man/man8/ipsec_selinux.8 b/man/man8/ipsec_selinux.8
new file mode 100644
-index 0000000..967d4c0
+index 0000000..8b748d6
--- /dev/null
+++ b/man/man8/ipsec_selinux.8
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,285 @@
+.TH "ipsec_selinux" "8" "ipsec" "dwalsh at redhat.com" "ipsec SELinux Policy documentation"
+.SH "NAME"
+ipsec_selinux \- Security Enhanced Linux Policy for the ipsec processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ipsec processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ipsec processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ipsec processes execute with the ipsec_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ipsec_t, ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep ipsec_t
++
++
++.SH "ENTRYPOINTS"
+
++The ipsec_t SELinux type can be entered via the "ipsec_exec_t" file type. The default entrypoint paths for the ipsec_t domain are the following:"
++
++/usr/lib/ipsec/pluto, /usr/lib/ipsec/klipsdebug, /usr/libexec/ipsec/eroute, /usr/libexec/ipsec/pluto, /usr/lib/ipsec/spi, /usr/lib/ipsec/eroute, /usr/libexec/ipsec/spi, /usr/libexec/ipsec/klipsdebug
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ipsec_t, ipsec_mgmt_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible.
++.PP
++The following process types are defined for ipsec:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ipsec_t, ipsec_mgmt_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -37676,27 +40487,9 @@ index 0000000..967d4c0
+.EE
+udp 4500
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ipsec:
-+
-+.EX
-+.B ipsec_t, ipsec_mgmt_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ipsec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ipsec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ipsec_key_file_t
@@ -37756,6 +40549,22 @@ index 0000000..967d4c0
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ipsec_t, ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ipsec_t, ipsec_mgmt_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -37782,43 +40591,56 @@ index 0000000..967d4c0
\ No newline at end of file
diff --git a/man/man8/iptables_selinux.8 b/man/man8/iptables_selinux.8
new file mode 100644
-index 0000000..cbb0783
+index 0000000..e109fae
--- /dev/null
+++ b/man/man8/iptables_selinux.8
-@@ -0,0 +1,250 @@
+@@ -0,0 +1,261 @@
+.TH "iptables_selinux" "8" "iptables" "dwalsh at redhat.com" "iptables SELinux Policy documentation"
+.SH "NAME"
+iptables_selinux \- Security Enhanced Linux Policy for the iptables processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the iptables processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the iptables processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. iptables policy is extremely flexible and has several booleans that allow you to manipulate the policy and run iptables with the tightest access possible.
++The iptables processes execute with the iptables_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
++.B ps -eZ | grep iptables_t
+
-+.EX
-+.B setsebool -P dhcpc_exec_iptables 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The iptables_t SELinux type can be entered via the "iptables_exec_t" file type. The default entrypoint paths for the iptables_t domain are the following:"
+
++/usr/sbin/ipvsadm-restore, /usr/sbin/ipchains.*, /usr/sbin/ip6?tables, /usr/sbin/ip6?tables-restore, /sbin/ebtables-restore, /usr/sbin/xtables-multi, /sbin/ipchains.*, /sbin/ip6?tables, /usr/sbin/ebtables-restore, /usr/sbin/ebtables, /sbin/ipvsadm, /usr/sbin/ipvsadm-save, /sbin/xtables-multi, /sbin/ipvsadm-restore, /sbin/ebtables, /usr/sbin/ip6?tables-multi, /sbin/ip6?tables-multi, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /sbin/ip6?tables-restore
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iptables_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iptables policy is very flexible allowing users to setup their iptables processes in as secure a method as possible.
++.PP
++The following process types are defined for iptables:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B iptables_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. iptables policy is extremely flexible and has several booleans that allow you to manipulate the policy and run iptables with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the iptables_t, you must turn on the kerberos_enabled boolean.
++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P dhcpc_exec_iptables 1
+.EE
+
+.SH FILE CONTEXTS
@@ -37891,27 +40713,9 @@ index 0000000..cbb0783
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux iptables policy is very flexible allowing users to setup their iptables processes in as secure a method as possible.
-+.PP
-+The following process types are defined for iptables:
-+
-+.EX
-+.B iptables_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type iptables_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type iptables_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_runtime_t
@@ -38013,6 +40817,22 @@ index 0000000..cbb0783
+ /etc/sysconfig/system-config-firewall.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iptables_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the iptables_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -38039,19 +40859,46 @@ index 0000000..cbb0783
\ No newline at end of file
diff --git a/man/man8/irc_selinux.8 b/man/man8/irc_selinux.8
new file mode 100644
-index 0000000..f452dfc
+index 0000000..b0661ea
--- /dev/null
+++ b/man/man8/irc_selinux.8
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,148 @@
+.TH "irc_selinux" "8" "irc" "dwalsh at redhat.com" "irc SELinux Policy documentation"
+.SH "NAME"
+irc_selinux \- Security Enhanced Linux Policy for the irc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the irc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the irc processes via flexible mandatory access control.
++
++The irc processes execute with the irc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep irc_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The irc_t SELinux type can be entered via the "irc_exec_t" file type. The default entrypoint paths for the irc_t domain are the following:"
++
++/usr/bin/tinyirc, /usr/bin/[st]irc, /usr/bin/ircII
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible.
++.PP
++The following process types are defined for irc:
++
++.EX
++.B irc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -38122,38 +40969,26 @@ index 0000000..f452dfc
+Default Defined Ports:
+tcp 6667,6697
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for irc:
-+
-+.EX
-+.B irc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type irc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type irc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B irc_home_t
+
+ /home/[^/]*/\.ircmotd
+.br
++ /home/dwalsh/\.ircmotd
++.br
++ /var/lib/xguest/home/xguest/\.ircmotd
++.br
+
+.br
+.B irc_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -38178,19 +41013,46 @@ index 0000000..f452dfc
+selinux(8), irc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/irqbalance_selinux.8 b/man/man8/irqbalance_selinux.8
new file mode 100644
-index 0000000..6703be5
+index 0000000..773b7c6
--- /dev/null
+++ b/man/man8/irqbalance_selinux.8
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,100 @@
+.TH "irqbalance_selinux" "8" "irqbalance" "dwalsh at redhat.com" "irqbalance SELinux Policy documentation"
+.SH "NAME"
+irqbalance_selinux \- Security Enhanced Linux Policy for the irqbalance processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the irqbalance processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the irqbalance processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The irqbalance processes execute with the irqbalance_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep irqbalance_t
++
++
++.SH "ENTRYPOINTS"
++
++The irqbalance_t SELinux type can be entered via the "irqbalance_exec_t" file type. The default entrypoint paths for the irqbalance_t domain are the following:"
++
++/usr/sbin/irqbalance
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux irqbalance policy is very flexible allowing users to setup their irqbalance processes in as secure a method as possible.
++.PP
++The following process types are defined for irqbalance:
++
++.EX
++.B irqbalance_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -38226,32 +41088,16 @@ index 0000000..6703be5
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux irqbalance policy is very flexible allowing users to setup their irqbalance processes in as secure a method as possible.
-+.PP
-+The following process types are defined for irqbalance:
-+
-+.EX
-+.B irqbalance_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type irqbalance_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type irqbalance_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B irqbalance_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -38273,43 +41119,56 @@ index 0000000..6703be5
+selinux(8), irqbalance(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/irssi_selinux.8 b/man/man8/irssi_selinux.8
new file mode 100644
-index 0000000..7ba6834
+index 0000000..c4c5f95
--- /dev/null
+++ b/man/man8/irssi_selinux.8
-@@ -0,0 +1,130 @@
+@@ -0,0 +1,149 @@
+.TH "irssi_selinux" "8" "irssi" "dwalsh at redhat.com" "irssi SELinux Policy documentation"
+.SH "NAME"
+irssi_selinux \- Security Enhanced Linux Policy for the irssi processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the irssi processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the irssi processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. irssi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run irssi with the tightest access possible.
++The irssi processes execute with the irssi_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port, you must turn on the irssi_use_full_network boolean.
++.B ps -eZ | grep irssi_t
+
-+.EX
-+.B setsebool -P irssi_use_full_network 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The irssi_t SELinux type can be entered via the "irssi_exec_t" file type. The default entrypoint paths for the irssi_t domain are the following:"
++
++/usr/bin/irssi
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the irssi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux irssi policy is very flexible allowing users to setup their irssi processes in as secure a method as possible.
++.PP
++The following process types are defined for irssi:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B irssi_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. irssi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run irssi with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the irssi_t, you must turn on the kerberos_enabled boolean.
++If you want to allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port, you must turn on the irssi_use_full_network boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P irssi_use_full_network 1
+.EE
+
+.SH FILE CONTEXTS
@@ -38354,27 +41213,9 @@ index 0000000..7ba6834
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux irssi policy is very flexible allowing users to setup their irssi processes in as secure a method as possible.
-+.PP
-+The following process types are defined for irssi:
-+
-+.EX
-+.B irssi_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type irssi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type irssi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B irssi_home_t
@@ -38383,6 +41224,30 @@ index 0000000..7ba6834
+.br
+ /home/[^/]*/irclogs(/.*)?
+.br
++ /home/dwalsh/\.irssi(/.*)?
++.br
++ /home/dwalsh/irclogs(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.irssi(/.*)?
++.br
++ /var/lib/xguest/home/xguest/irclogs(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the irssi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the irssi_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -38410,33 +41275,46 @@ index 0000000..7ba6834
\ No newline at end of file
diff --git a/man/man8/iscsid_selinux.8 b/man/man8/iscsid_selinux.8
new file mode 100644
-index 0000000..56493a2
+index 0000000..73041bb
--- /dev/null
+++ b/man/man8/iscsid_selinux.8
-@@ -0,0 +1,151 @@
+@@ -0,0 +1,162 @@
+.TH "iscsid_selinux" "8" "iscsid" "dwalsh at redhat.com" "iscsid SELinux Policy documentation"
+.SH "NAME"
+iscsid_selinux \- Security Enhanced Linux Policy for the iscsid processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the iscsid processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the iscsid processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The iscsid processes execute with the iscsid_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iscsid_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep iscsid_t
+
++
++.SH "ENTRYPOINTS"
++
++The iscsid_t SELinux type can be entered via the "iscsid_exec_t" file type. The default entrypoint paths for the iscsid_t domain are the following:"
++
++/sbin/brcm_iscsiuio, /sbin/iscsiuio, /usr/sbin/iscsiuio, /usr/sbin/iscsid, /usr/sbin/brcm_iscsiuio, /sbin/iscsid
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the iscsid_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible.
++.PP
++The following process types are defined for iscsid:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B iscsid_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -38491,27 +41369,9 @@ index 0000000..56493a2
+Default Defined Ports:
+tcp 3260
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible.
-+.PP
-+The following process types are defined for iscsid:
-+
-+.EX
-+.B iscsid_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type iscsid_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type iscsid_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B iscsi_lock_t
@@ -38543,6 +41403,22 @@ index 0000000..56493a2
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iscsid_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the iscsid_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -38567,19 +41443,46 @@ index 0000000..56493a2
+selinux(8), iscsid(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/iwhd_selinux.8 b/man/man8/iwhd_selinux.8
new file mode 100644
-index 0000000..e6502cf
+index 0000000..e5e9d21
--- /dev/null
+++ b/man/man8/iwhd_selinux.8
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,138 @@
+.TH "iwhd_selinux" "8" "iwhd" "dwalsh at redhat.com" "iwhd SELinux Policy documentation"
+.SH "NAME"
+iwhd_selinux \- Security Enhanced Linux Policy for the iwhd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the iwhd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the iwhd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The iwhd processes execute with the iwhd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep iwhd_t
++
++
++.SH "ENTRYPOINTS"
++
++The iwhd_t SELinux type can be entered via the "iwhd_exec_t" file type. The default entrypoint paths for the iwhd_t domain are the following:"
++
++/usr/bin/iwhd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux iwhd policy is very flexible allowing users to setup their iwhd processes in as secure a method as possible.
++.PP
++The following process types are defined for iwhd:
++
++.EX
++.B iwhd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -38639,27 +41542,9 @@ index 0000000..e6502cf
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux iwhd policy is very flexible allowing users to setup their iwhd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for iwhd:
-+
-+.EX
-+.B iwhd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type iwhd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type iwhd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B iwhd_log_t
@@ -38679,6 +41564,8 @@ index 0000000..e6502cf
+ /var/run/iwhd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -38700,19 +41587,46 @@ index 0000000..e6502cf
+selinux(8), iwhd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/jabberd_router_selinux.8 b/man/man8/jabberd_router_selinux.8
new file mode 100644
-index 0000000..40033fc
+index 0000000..a6e4397
--- /dev/null
+++ b/man/man8/jabberd_router_selinux.8
-@@ -0,0 +1,88 @@
+@@ -0,0 +1,99 @@
+.TH "jabberd_router_selinux" "8" "jabberd_router" "dwalsh at redhat.com" "jabberd_router SELinux Policy documentation"
+.SH "NAME"
+jabberd_router_selinux \- Security Enhanced Linux Policy for the jabberd_router processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the jabberd_router processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the jabberd_router processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The jabberd_router processes execute with the jabberd_router_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep jabberd_router_t
++
++
++.SH "ENTRYPOINTS"
++
++The jabberd_router_t SELinux type can be entered via the "jabberd_router_exec_t" file type. The default entrypoint paths for the jabberd_router_t domain are the following:"
++
++/usr/bin/c2s, /usr/bin/router
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux jabberd_router policy is very flexible allowing users to setup their jabberd_router processes in as secure a method as possible.
++.PP
++The following process types are defined for jabberd_router:
++
++.EX
++.B jabberd_router_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -38744,27 +41658,9 @@ index 0000000..40033fc
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux jabberd_router policy is very flexible allowing users to setup their jabberd_router processes in as secure a method as possible.
-+.PP
-+The following process types are defined for jabberd_router:
-+
-+.EX
-+.B jabberd_router_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type jabberd_router_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type jabberd_router_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B jabberd_var_lib_t
@@ -38772,6 +41668,8 @@ index 0000000..40033fc
+ /var/lib/jabberd(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -38791,23 +41689,50 @@ index 0000000..40033fc
+
+.SH "SEE ALSO"
+selinux(8), jabberd_router(8), semanage(8), restorecon(8), chcon(1)
-+, jabberd_selinux(8)
++, jabberd_selinux(8), jabberd_selinux(8)
\ No newline at end of file
diff --git a/man/man8/jabberd_selinux.8 b/man/man8/jabberd_selinux.8
new file mode 100644
-index 0000000..c9ed7c3
+index 0000000..92d32e3
--- /dev/null
+++ b/man/man8/jabberd_selinux.8
-@@ -0,0 +1,164 @@
+@@ -0,0 +1,175 @@
+.TH "jabberd_selinux" "8" "jabberd" "dwalsh at redhat.com" "jabberd SELinux Policy documentation"
+.SH "NAME"
+jabberd_selinux \- Security Enhanced Linux Policy for the jabberd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the jabberd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the jabberd processes via flexible mandatory access control.
++
++The jabberd processes execute with the jabberd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep jabberd_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The jabberd_t SELinux type can be entered via the "jabberd_exec_t" file type. The default entrypoint paths for the jabberd_t domain are the following:"
++
++/usr/bin/s2s, /usr/bin/sm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible.
++.PP
++The following process types are defined for jabberd:
++
++.EX
++.B jabberd_router_t, jabberd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -38912,27 +41837,9 @@ index 0000000..c9ed7c3
+Default Defined Ports:
+tcp 5347
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for jabberd:
-+
-+.EX
-+.B jabberd_router_t, jabberd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type jabberd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type jabberd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B jabberd_var_lib_t
@@ -38940,6 +41847,8 @@ index 0000000..c9ed7c3
+ /var/lib/jabberd(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -38966,19 +41875,46 @@ index 0000000..c9ed7c3
\ No newline at end of file
diff --git a/man/man8/jockey_selinux.8 b/man/man8/jockey_selinux.8
new file mode 100644
-index 0000000..e0f51b4
+index 0000000..3ae7f9e
--- /dev/null
+++ b/man/man8/jockey_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "jockey_selinux" "8" "jockey" "dwalsh at redhat.com" "jockey SELinux Policy documentation"
+.SH "NAME"
+jockey_selinux \- Security Enhanced Linux Policy for the jockey processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the jockey processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the jockey processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The jockey processes execute with the jockey_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep jockey_t
++
++
++.SH "ENTRYPOINTS"
++
++The jockey_t SELinux type can be entered via the "jockey_exec_t" file type. The default entrypoint paths for the jockey_t domain are the following:"
++
++/usr/share/jockey/jockey-backend
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux jockey policy is very flexible allowing users to setup their jockey processes in as secure a method as possible.
++.PP
++The following process types are defined for jockey:
++
++.EX
++.B jockey_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -39026,27 +41962,9 @@ index 0000000..e0f51b4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux jockey policy is very flexible allowing users to setup their jockey processes in as secure a method as possible.
-+.PP
-+The following process types are defined for jockey:
-+
-+.EX
-+.B jockey_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type jockey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type jockey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B jockey_cache_t
@@ -39062,6 +41980,8 @@ index 0000000..e0f51b4
+ /var/log/jockey\.log.*
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -39083,19 +42003,46 @@ index 0000000..e0f51b4
+selinux(8), jockey(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/kadmind_selinux.8 b/man/man8/kadmind_selinux.8
new file mode 100644
-index 0000000..fac618c
+index 0000000..6197d05
--- /dev/null
+++ b/man/man8/kadmind_selinux.8
-@@ -0,0 +1,143 @@
+@@ -0,0 +1,164 @@
+.TH "kadmind_selinux" "8" "kadmind" "dwalsh at redhat.com" "kadmind SELinux Policy documentation"
+.SH "NAME"
+kadmind_selinux \- Security Enhanced Linux Policy for the kadmind processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the kadmind processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the kadmind processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The kadmind processes execute with the kadmind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep kadmind_t
++
++
++.SH "ENTRYPOINTS"
++
++The kadmind_t SELinux type can be entered via the "kadmind_exec_t" file type. The default entrypoint paths for the kadmind_t domain are the following:"
++
++/usr/(kerberos/)?sbin/kadmind, /usr/kerberos/sbin/kadmin\.local
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
++.PP
++The following process types are defined for kadmind:
++
++.EX
++.B kadmind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -39151,27 +42098,9 @@ index 0000000..fac618c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kadmind:
-+
-+.EX
-+.B kadmind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type kadmind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type kadmind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B kadmind_log_t
@@ -39188,6 +42117,16 @@ index 0000000..fac618c
+
+
+.br
++.B krb5kdc_conf_t
++
++ /etc/krb5kdc(/.*)?
++.br
++ /usr/var/krb5kdc(/.*)?
++.br
++ /var/kerberos/krb5kdc(/.*)?
++.br
++
++.br
+.B krb5kdc_lock_t
+
+ /var/kerberos/krb5kdc/principal.*\.ok
@@ -39211,6 +42150,8 @@ index 0000000..fac618c
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -39232,33 +42173,46 @@ index 0000000..fac618c
+selinux(8), kadmind(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/kdump_selinux.8 b/man/man8/kdump_selinux.8
new file mode 100644
-index 0000000..dba8cdf
+index 0000000..d2215f7
--- /dev/null
+++ b/man/man8/kdump_selinux.8
-@@ -0,0 +1,160 @@
+@@ -0,0 +1,171 @@
+.TH "kdump_selinux" "8" "kdump" "dwalsh at redhat.com" "kdump SELinux Policy documentation"
+.SH "NAME"
+kdump_selinux \- Security Enhanced Linux Policy for the kdump processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the kdump processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the kdump processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The kdump processes execute with the kdump_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep kdump_t
+
++
++.SH "ENTRYPOINTS"
++
++The kdump_t SELinux type can be entered via the "kdump_exec_t" file type. The default entrypoint paths for the kdump_t domain are the following:"
++
++/usr/sbin/kdump, /usr/sbin/kexec, /sbin/kdump, /sbin/kexec
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
++.PP
++The following process types are defined for kdump:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B kdumpgui_t, kdumpctl_t, kdump_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -39354,27 +42308,25 @@ index 0000000..dba8cdf
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type kdump_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kdump:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B kdumpgui_t, kdumpctl_t, kdump_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type kdump_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -39399,19 +42351,46 @@ index 0000000..dba8cdf
\ No newline at end of file
diff --git a/man/man8/kdumpctl_selinux.8 b/man/man8/kdumpctl_selinux.8
new file mode 100644
-index 0000000..ac471d6
+index 0000000..e58cb36
--- /dev/null
+++ b/man/man8/kdumpctl_selinux.8
-@@ -0,0 +1,118 @@
+@@ -0,0 +1,129 @@
+.TH "kdumpctl_selinux" "8" "kdumpctl" "dwalsh at redhat.com" "kdumpctl SELinux Policy documentation"
+.SH "NAME"
+kdumpctl_selinux \- Security Enhanced Linux Policy for the kdumpctl processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the kdumpctl processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the kdumpctl processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The kdumpctl processes execute with the kdumpctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep kdumpctl_t
++
++
++.SH "ENTRYPOINTS"
++
++The kdumpctl_t SELinux type can be entered via the "kdumpctl_exec_t" file type. The default entrypoint paths for the kdumpctl_t domain are the following:"
++
++/usr/bin/kdumpctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kdumpctl policy is very flexible allowing users to setup their kdumpctl processes in as secure a method as possible.
++.PP
++The following process types are defined for kdumpctl:
++
++.EX
++.B kdumpctl_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -39455,27 +42434,9 @@ index 0000000..ac471d6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kdumpctl policy is very flexible allowing users to setup their kdumpctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kdumpctl:
-+
-+.EX
-+.B kdumpctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type kdumpctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type kdumpctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B boot_t
@@ -39501,6 +42462,8 @@ index 0000000..ac471d6
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -39524,33 +42487,46 @@ index 0000000..ac471d6
\ No newline at end of file
diff --git a/man/man8/kdumpgui_selinux.8 b/man/man8/kdumpgui_selinux.8
new file mode 100644
-index 0000000..9a15e78
+index 0000000..1730a1d
--- /dev/null
+++ b/man/man8/kdumpgui_selinux.8
-@@ -0,0 +1,184 @@
+@@ -0,0 +1,195 @@
+.TH "kdumpgui_selinux" "8" "kdumpgui" "dwalsh at redhat.com" "kdumpgui SELinux Policy documentation"
+.SH "NAME"
+kdumpgui_selinux \- Security Enhanced Linux Policy for the kdumpgui processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the kdumpgui processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the kdumpgui processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The kdumpgui processes execute with the kdumpgui_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep kdumpgui_t
++
++
++.SH "ENTRYPOINTS"
+
++The kdumpgui_t SELinux type can be entered via the "kdumpgui_exec_t" file type. The default entrypoint paths for the kdumpgui_t domain are the following:"
++
++/usr/share/system-config-kdump/system-config-kdump-backend\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kdumpgui policy is very flexible allowing users to setup their kdumpgui processes in as secure a method as possible.
++.PP
++The following process types are defined for kdumpgui:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B kdumpgui_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -39586,27 +42562,9 @@ index 0000000..9a15e78
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kdumpgui policy is very flexible allowing users to setup their kdumpgui processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kdumpgui:
-+
-+.EX
-+.B kdumpgui_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type kdumpgui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type kdumpgui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B boot_t
@@ -39692,6 +42650,22 @@ index 0000000..9a15e78
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -39749,19 +42723,46 @@ index a8f81c8..0000000
-selinux(8), kerberos(1), chcon(1), setsebool(8)
diff --git a/man/man8/keyboardd_selinux.8 b/man/man8/keyboardd_selinux.8
new file mode 100644
-index 0000000..1667438
+index 0000000..2adfcd3
--- /dev/null
+++ b/man/man8/keyboardd_selinux.8
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,142 @@
+.TH "keyboardd_selinux" "8" "keyboardd" "dwalsh at redhat.com" "keyboardd SELinux Policy documentation"
+.SH "NAME"
+keyboardd_selinux \- Security Enhanced Linux Policy for the keyboardd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the keyboardd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the keyboardd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The keyboardd processes execute with the keyboardd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep keyboardd_t
++
++
++.SH "ENTRYPOINTS"
++
++The keyboardd_t SELinux type can be entered via the "keyboardd_exec_t" file type. The default entrypoint paths for the keyboardd_t domain are the following:"
++
++/usr/bin/system-setup-keyboard
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux keyboardd policy is very flexible allowing users to setup their keyboardd processes in as secure a method as possible.
++.PP
++The following process types are defined for keyboardd:
++
++.EX
++.B keyboardd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -39789,27 +42790,9 @@ index 0000000..1667438
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux keyboardd policy is very flexible allowing users to setup their keyboardd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for keyboardd:
-+
-+.EX
-+.B keyboardd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type keyboardd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type keyboardd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_runtime_t
@@ -39865,6 +42848,8 @@ index 0000000..1667438
+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -39886,33 +42871,46 @@ index 0000000..1667438
+selinux(8), keyboardd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/keystone_selinux.8 b/man/man8/keystone_selinux.8
new file mode 100644
-index 0000000..e40e6a6
+index 0000000..1f90fd7
--- /dev/null
+++ b/man/man8/keystone_selinux.8
-@@ -0,0 +1,227 @@
+@@ -0,0 +1,238 @@
+.TH "keystone_selinux" "8" "keystone" "dwalsh at redhat.com" "keystone SELinux Policy documentation"
+.SH "NAME"
+keystone_selinux \- Security Enhanced Linux Policy for the keystone processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the keystone processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the keystone processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The keystone processes execute with the keystone_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the keystone_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep keystone_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The keystone_t SELinux type can be entered via the "keystone_exec_t" file type. The default entrypoint paths for the keystone_t domain are the following:"
++
++/usr/bin/keystone-all
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the keystone_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
++.PP
++The following process types are defined for keystone:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B keystone_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -39997,27 +42995,9 @@ index 0000000..e40e6a6
+.EE
+udp 5000
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible.
-+.PP
-+The following process types are defined for keystone:
-+
-+.EX
-+.B keystone_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type keystone_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type keystone_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -40095,6 +43075,22 @@ index 0000000..e40e6a6
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the keystone_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the keystone_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -40119,33 +43115,46 @@ index 0000000..e40e6a6
+selinux(8), keystone(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/kismet_selinux.8 b/man/man8/kismet_selinux.8
new file mode 100644
-index 0000000..e5cf4c8
+index 0000000..e189330
--- /dev/null
+++ b/man/man8/kismet_selinux.8
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,186 @@
+.TH "kismet_selinux" "8" "kismet" "dwalsh at redhat.com" "kismet SELinux Policy documentation"
+.SH "NAME"
+kismet_selinux \- Security Enhanced Linux Policy for the kismet processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the kismet processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the kismet processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The kismet processes execute with the kismet_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kismet_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep kismet_t
+
++
++.SH "ENTRYPOINTS"
++
++The kismet_t SELinux type can be entered via the "kismet_exec_t" file type. The default entrypoint paths for the kismet_t domain are the following:"
++
++/usr/bin/kismet
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the kismet_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kismet policy is very flexible allowing users to setup their kismet processes in as secure a method as possible.
++.PP
++The following process types are defined for kismet:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B kismet_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -40221,33 +43230,19 @@ index 0000000..e5cf4c8
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kismet policy is very flexible allowing users to setup their kismet processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kismet:
-+
-+.EX
-+.B kismet_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type kismet_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type kismet_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B kismet_home_t
+
+ /home/[^/]*/\.kismet(/.*)?
+.br
++ /home/dwalsh/\.kismet(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.kismet(/.*)?
++.br
+
+.br
+.B kismet_log_t
@@ -40275,6 +43270,22 @@ index 0000000..e5cf4c8
+ /var/run/kismet_server.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kismet_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the kismet_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -40296,19 +43307,46 @@ index 0000000..e5cf4c8
+selinux(8), kismet(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/klogd_selinux.8 b/man/man8/klogd_selinux.8
new file mode 100644
-index 0000000..25b7851
+index 0000000..0516011
--- /dev/null
+++ b/man/man8/klogd_selinux.8
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,118 @@
+.TH "klogd_selinux" "8" "klogd" "dwalsh at redhat.com" "klogd SELinux Policy documentation"
+.SH "NAME"
+klogd_selinux \- Security Enhanced Linux Policy for the klogd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the klogd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the klogd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The klogd processes execute with the klogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep klogd_t
++
++
++.SH "ENTRYPOINTS"
++
++The klogd_t SELinux type can be entered via the "klogd_exec_t" file type. The default entrypoint paths for the klogd_t domain are the following:"
++
++/usr/sbin/rklogd, /usr/sbin/klogd, /sbin/klogd, /sbin/rklogd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux klogd policy is very flexible allowing users to setup their klogd processes in as secure a method as possible.
++.PP
++The following process types are defined for klogd:
++
++.EX
++.B klogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -40356,27 +43394,9 @@ index 0000000..25b7851
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux klogd policy is very flexible allowing users to setup their klogd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for klogd:
-+
-+.EX
-+.B klogd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type klogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type klogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B klogd_tmp_t
@@ -40388,6 +43408,8 @@ index 0000000..25b7851
+ /var/run/klogd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -40409,19 +43431,46 @@ index 0000000..25b7851
+selinux(8), klogd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/kpropd_selinux.8 b/man/man8/kpropd_selinux.8
new file mode 100644
-index 0000000..849c106
+index 0000000..faa7add
--- /dev/null
+++ b/man/man8/kpropd_selinux.8
-@@ -0,0 +1,153 @@
+@@ -0,0 +1,168 @@
+.TH "kpropd_selinux" "8" "kpropd" "dwalsh at redhat.com" "kpropd SELinux Policy documentation"
+.SH "NAME"
+kpropd_selinux \- Security Enhanced Linux Policy for the kpropd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the kpropd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the kpropd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The kpropd processes execute with the kpropd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep kpropd_t
++
++
++.SH "ENTRYPOINTS"
++
++The kpropd_t SELinux type can be entered via the "kpropd_exec_t" file type. The default entrypoint paths for the kpropd_t domain are the following:"
++
++/usr/kerberos/sbin/kpropd, /usr/sbin/kpropd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible.
++.PP
++The following process types are defined for kpropd:
++
++.EX
++.B kpropd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -40441,6 +43490,10 @@ index 0000000..849c106
+
+- Set files with the kpropd_exec_t type, if you want to transition an executable to the kpropd_t domain.
+
++.br
++.TP 5
++Paths:
++/usr/kerberos/sbin/kpropd, /usr/sbin/kpropd
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -40472,27 +43525,9 @@ index 0000000..849c106
+Default Defined Ports:
+tcp 754
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for kpropd:
-+
-+.EX
-+.B kpropd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type kpropd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type kpropd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B krb5_host_rcache_t
@@ -40544,6 +43579,8 @@ index 0000000..849c106
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -40568,19 +43605,46 @@ index 0000000..849c106
+selinux(8), kpropd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/krb5kdc_selinux.8 b/man/man8/krb5kdc_selinux.8
new file mode 100644
-index 0000000..499dd15
+index 0000000..d23b126
--- /dev/null
+++ b/man/man8/krb5kdc_selinux.8
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,186 @@
+.TH "krb5kdc_selinux" "8" "krb5kdc" "dwalsh at redhat.com" "krb5kdc SELinux Policy documentation"
+.SH "NAME"
+krb5kdc_selinux \- Security Enhanced Linux Policy for the krb5kdc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the krb5kdc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the krb5kdc processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The krb5kdc processes execute with the krb5kdc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep krb5kdc_t
++
++
++.SH "ENTRYPOINTS"
++
++The krb5kdc_t SELinux type can be entered via the "krb5kdc_exec_t" file type. The default entrypoint paths for the krb5kdc_t domain are the following:"
++
++/usr/(kerberos/)?sbin/krb5kdc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux krb5kdc policy is very flexible allowing users to setup their krb5kdc processes in as secure a method as possible.
++.PP
++The following process types are defined for krb5kdc:
++
++.EX
++.B krb5kdc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -40668,27 +43732,9 @@ index 0000000..499dd15
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux krb5kdc policy is very flexible allowing users to setup their krb5kdc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for krb5kdc:
-+
-+.EX
-+.B krb5kdc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type krb5kdc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type krb5kdc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B krb5kdc_lock_t
@@ -40728,6 +43774,8 @@ index 0000000..499dd15
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -40749,33 +43797,46 @@ index 0000000..499dd15
+selinux(8), krb5kdc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ksmtuned_selinux.8 b/man/man8/ksmtuned_selinux.8
new file mode 100644
-index 0000000..1afda4b
+index 0000000..af55445
--- /dev/null
+++ b/man/man8/ksmtuned_selinux.8
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,144 @@
+.TH "ksmtuned_selinux" "8" "ksmtuned" "dwalsh at redhat.com" "ksmtuned SELinux Policy documentation"
+.SH "NAME"
+ksmtuned_selinux \- Security Enhanced Linux Policy for the ksmtuned processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ksmtuned processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ksmtuned processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ksmtuned processes execute with the ksmtuned_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ksmtuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep ksmtuned_t
++
++
++.SH "ENTRYPOINTS"
+
++The ksmtuned_t SELinux type can be entered via the "ksmtuned_exec_t" file type. The default entrypoint paths for the ksmtuned_t domain are the following:"
++
++/usr/sbin/ksmtuned
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ksmtuned_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ksmtuned policy is very flexible allowing users to setup their ksmtuned processes in as secure a method as possible.
++.PP
++The following process types are defined for ksmtuned:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ksmtuned_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -40827,27 +43888,9 @@ index 0000000..1afda4b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ksmtuned policy is very flexible allowing users to setup their ksmtuned processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ksmtuned:
-+
-+.EX
-+.B ksmtuned_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ksmtuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ksmtuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ksmtuned_log_t
@@ -40867,6 +43910,22 @@ index 0000000..1afda4b
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ksmtuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ksmtuned_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -40888,33 +43947,46 @@ index 0000000..1afda4b
+selinux(8), ksmtuned(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ktalkd_selinux.8 b/man/man8/ktalkd_selinux.8
new file mode 100644
-index 0000000..e310f3a
+index 0000000..30f19a6
--- /dev/null
+++ b/man/man8/ktalkd_selinux.8
-@@ -0,0 +1,159 @@
+@@ -0,0 +1,170 @@
+.TH "ktalkd_selinux" "8" "ktalkd" "dwalsh at redhat.com" "ktalkd SELinux Policy documentation"
+.SH "NAME"
+ktalkd_selinux \- Security Enhanced Linux Policy for the ktalkd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ktalkd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ktalkd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ktalkd processes execute with the ktalkd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ktalkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep ktalkd_t
+
++
++.SH "ENTRYPOINTS"
++
++The ktalkd_t SELinux type can be entered via the "ktalkd_exec_t" file type. The default entrypoint paths for the ktalkd_t domain are the following:"
++
++/usr/sbin/in\.talkd, /usr/bin/ktalkd, /usr/sbin/in\.ntalkd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ktalkd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible.
++.PP
++The following process types are defined for ktalkd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ktalkd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -40993,27 +44065,9 @@ index 0000000..e310f3a
+Default Defined Ports:
+udp 517,518
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ktalkd:
-+
-+.EX
-+.B ktalkd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ktalkd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ktalkd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ktalkd_log_t
@@ -41029,6 +44083,22 @@ index 0000000..e310f3a
+.B ktalkd_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ktalkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ktalkd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -41053,19 +44123,46 @@ index 0000000..e310f3a
+selinux(8), ktalkd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/l2tpd_selinux.8 b/man/man8/l2tpd_selinux.8
new file mode 100644
-index 0000000..83b5e43
+index 0000000..d83d4c3
--- /dev/null
+++ b/man/man8/l2tpd_selinux.8
-@@ -0,0 +1,157 @@
+@@ -0,0 +1,168 @@
+.TH "l2tpd_selinux" "8" "l2tpd" "dwalsh at redhat.com" "l2tpd SELinux Policy documentation"
+.SH "NAME"
+l2tpd_selinux \- Security Enhanced Linux Policy for the l2tpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the l2tpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the l2tpd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The l2tpd processes execute with the l2tpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep l2tpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The l2tpd_t SELinux type can be entered via the "l2tpd_exec_t" file type. The default entrypoint paths for the l2tpd_t domain are the following:"
++
++/usr/sbin/xl2tpd, /usr/sbin/prol2tpd, /usr/sbin/openl2tpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible.
++.PP
++The following process types are defined for l2tpd:
++
++.EX
++.B l2tpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -41154,27 +44251,9 @@ index 0000000..83b5e43
+.EE
+udp 1701
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for l2tpd:
-+
-+.EX
-+.B l2tpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type l2tpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type l2tpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B l2tpd_var_run_t
@@ -41192,6 +44271,8 @@ index 0000000..83b5e43
+ /var/run/openl2tpd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -41216,19 +44297,46 @@ index 0000000..83b5e43
+selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ldconfig_selinux.8 b/man/man8/ldconfig_selinux.8
new file mode 100644
-index 0000000..c1d439d
+index 0000000..9ba649f
--- /dev/null
+++ b/man/man8/ldconfig_selinux.8
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,160 @@
+.TH "ldconfig_selinux" "8" "ldconfig" "dwalsh at redhat.com" "ldconfig SELinux Policy documentation"
+.SH "NAME"
+ldconfig_selinux \- Security Enhanced Linux Policy for the ldconfig processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ldconfig processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ldconfig processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ldconfig processes execute with the ldconfig_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ldconfig_t
++
++
++.SH "ENTRYPOINTS"
++
++The ldconfig_t SELinux type can be entered via the "ldconfig_exec_t" file type. The default entrypoint paths for the ldconfig_t domain are the following:"
++
++/usr/sbin/ldconfig, /sbin/ldconfig
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ldconfig policy is very flexible allowing users to setup their ldconfig processes in as secure a method as possible.
++.PP
++The following process types are defined for ldconfig:
++
++.EX
++.B ldconfig_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -41276,27 +44384,9 @@ index 0000000..c1d439d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ldconfig policy is very flexible allowing users to setup their ldconfig processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ldconfig:
-+
-+.EX
-+.B ldconfig_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ldconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ldconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B kdumpctl_tmp_t
@@ -41333,6 +44423,10 @@ index 0000000..c1d439d
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
+
+.br
+.B user_tmp_t
@@ -41341,6 +44435,12 @@ index 0000000..c1d439d
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -41363,19 +44463,46 @@ index 0000000..c1d439d
+selinux(8), ldconfig(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lircd_selinux.8 b/man/man8/lircd_selinux.8
new file mode 100644
-index 0000000..00aa871
+index 0000000..f9c4b9d
--- /dev/null
+++ b/man/man8/lircd_selinux.8
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,166 @@
+.TH "lircd_selinux" "8" "lircd" "dwalsh at redhat.com" "lircd SELinux Policy documentation"
+.SH "NAME"
+lircd_selinux \- Security Enhanced Linux Policy for the lircd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the lircd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the lircd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The lircd processes execute with the lircd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lircd_t
++
++
++.SH "ENTRYPOINTS"
++
++The lircd_t SELinux type can be entered via the "lircd_exec_t" file type. The default entrypoint paths for the lircd_t domain are the following:"
++
++/usr/sbin/lircd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible.
++.PP
++The following process types are defined for lircd:
++
++.EX
++.B lircd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -41458,27 +44585,9 @@ index 0000000..00aa871
+Default Defined Ports:
+tcp 8765
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lircd:
-+
-+.EX
-+.B lircd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type lircd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type lircd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B lircd_var_run_t
@@ -41500,6 +44609,8 @@ index 0000000..00aa871
+ /var/lock
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -41524,19 +44635,46 @@ index 0000000..00aa871
+selinux(8), lircd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/livecd_selinux.8 b/man/man8/livecd_selinux.8
new file mode 100644
-index 0000000..d813f25
+index 0000000..f947686
--- /dev/null
+++ b/man/man8/livecd_selinux.8
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,102 @@
+.TH "livecd_selinux" "8" "livecd" "dwalsh at redhat.com" "livecd SELinux Policy documentation"
+.SH "NAME"
+livecd_selinux \- Security Enhanced Linux Policy for the livecd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the livecd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the livecd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The livecd processes execute with the livecd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep livecd_t
++
++
++.SH "ENTRYPOINTS"
++
++The livecd_t SELinux type can be entered via the "proc_type,file_type,mtrr_device_t,sysctl_type,filesystem_type,livecd_exec_t,unlabeled_t" file types. The default entrypoint paths for the livecd_t domain are the following:"
++
++/dev/cpu/mtrr, /usr/bin/livecd-creator
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux livecd policy is very flexible allowing users to setup their livecd processes in as secure a method as possible.
++.PP
++The following process types are defined for livecd:
++
++.EX
++.B livecd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -41572,27 +44710,9 @@ index 0000000..d813f25
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux livecd policy is very flexible allowing users to setup their livecd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for livecd:
-+
-+.EX
-+.B livecd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type livecd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type livecd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B file_type
@@ -41600,6 +44720,8 @@ index 0000000..d813f25
+ all files on the system
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -41621,19 +44743,46 @@ index 0000000..d813f25
+selinux(8), livecd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lldpad_selinux.8 b/man/man8/lldpad_selinux.8
new file mode 100644
-index 0000000..e910d81
+index 0000000..fe283cb
--- /dev/null
+++ b/man/man8/lldpad_selinux.8
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,136 @@
+.TH "lldpad_selinux" "8" "lldpad" "dwalsh at redhat.com" "lldpad SELinux Policy documentation"
+.SH "NAME"
+lldpad_selinux \- Security Enhanced Linux Policy for the lldpad processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the lldpad processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the lldpad processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The lldpad processes execute with the lldpad_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lldpad_t
++
++
++.SH "ENTRYPOINTS"
++
++The lldpad_t SELinux type can be entered via the "lldpad_exec_t" file type. The default entrypoint paths for the lldpad_t domain are the following:"
++
++/usr/sbin/lldpad
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lldpad policy is very flexible allowing users to setup their lldpad processes in as secure a method as possible.
++.PP
++The following process types are defined for lldpad:
++
++.EX
++.B lldpad_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -41693,27 +44842,9 @@ index 0000000..e910d81
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lldpad policy is very flexible allowing users to setup their lldpad processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lldpad:
-+
-+.EX
-+.B lldpad_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type lldpad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type lldpad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B lldpad_tmpfs_t
@@ -41731,6 +44862,8 @@ index 0000000..e910d81
+ /var/run/lldpad\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -41752,19 +44885,46 @@ index 0000000..e910d81
+selinux(8), lldpad(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/load_policy_selinux.8 b/man/man8/load_policy_selinux.8
new file mode 100644
-index 0000000..92bf5c1
+index 0000000..6bd77d9
--- /dev/null
+++ b/man/man8/load_policy_selinux.8
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,97 @@
+.TH "load_policy_selinux" "8" "load_policy" "dwalsh at redhat.com" "load_policy SELinux Policy documentation"
+.SH "NAME"
+load_policy_selinux \- Security Enhanced Linux Policy for the load_policy processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the load_policy processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the load_policy processes via flexible mandatory access control.
++
++The load_policy processes execute with the load_policy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep load_policy_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The load_policy_t SELinux type can be entered via the "load_policy_exec_t" file type. The default entrypoint paths for the load_policy_t domain are the following:"
++
++/usr/sbin/load_policy, /sbin/load_policy
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux load_policy policy is very flexible allowing users to setup their load_policy processes in as secure a method as possible.
++.PP
++The following process types are defined for load_policy:
++
++.EX
++.B load_policy_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -41796,32 +44956,16 @@ index 0000000..92bf5c1
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux load_policy policy is very flexible allowing users to setup their load_policy processes in as secure a method as possible.
-+.PP
-+The following process types are defined for load_policy:
-+
-+.EX
-+.B load_policy_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type load_policy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type load_policy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B boolean_type
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -41841,21 +44985,50 @@ index 0000000..92bf5c1
+
+.SH "SEE ALSO"
+selinux(8), load_policy(8), semanage(8), restorecon(8), chcon(1)
++, loadkeys_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/loadkeys_selinux.8 b/man/man8/loadkeys_selinux.8
new file mode 100644
-index 0000000..33b75c0
+index 0000000..18f76c5
--- /dev/null
+++ b/man/man8/loadkeys_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,92 @@
+.TH "loadkeys_selinux" "8" "loadkeys" "dwalsh at redhat.com" "loadkeys SELinux Policy documentation"
+.SH "NAME"
+loadkeys_selinux \- Security Enhanced Linux Policy for the loadkeys processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the loadkeys processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the loadkeys processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The loadkeys processes execute with the loadkeys_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep loadkeys_t
++
++
++.SH "ENTRYPOINTS"
++
++The loadkeys_t SELinux type can be entered via the "loadkeys_exec_t" file type. The default entrypoint paths for the loadkeys_t domain are the following:"
++
++/usr/bin/unikeys, /usr/bin/loadkeys
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux loadkeys policy is very flexible allowing users to setup their loadkeys processes in as secure a method as possible.
++.PP
++The following process types are defined for loadkeys:
++
++.EX
++.B loadkeys_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -41887,27 +45060,11 @@ index 0000000..33b75c0
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux loadkeys policy is very flexible allowing users to setup their loadkeys processes in as secure a method as possible.
-+.PP
-+The following process types are defined for loadkeys:
-+
-+.EX
-+.B loadkeys_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type loadkeys_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type loadkeys_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -41930,33 +45087,46 @@ index 0000000..33b75c0
+selinux(8), loadkeys(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/locate_selinux.8 b/man/man8/locate_selinux.8
new file mode 100644
-index 0000000..2b21e64
+index 0000000..35b40ae
--- /dev/null
+++ b/man/man8/locate_selinux.8
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,124 @@
+.TH "locate_selinux" "8" "locate" "dwalsh at redhat.com" "locate SELinux Policy documentation"
+.SH "NAME"
+locate_selinux \- Security Enhanced Linux Policy for the locate processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the locate processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the locate processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The locate processes execute with the locate_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the locate_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep locate_t
++
++
++.SH "ENTRYPOINTS"
+
++The locate_t SELinux type can be entered via the "locate_exec_t" file type. The default entrypoint paths for the locate_t domain are the following:"
++
++/usr/bin/updatedb
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the locate_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux locate policy is very flexible allowing users to setup their locate processes in as secure a method as possible.
++.PP
++The following process types are defined for locate:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B locate_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -42000,27 +45170,9 @@ index 0000000..2b21e64
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux locate policy is very flexible allowing users to setup their locate processes in as secure a method as possible.
-+.PP
-+The following process types are defined for locate:
-+
-+.EX
-+.B locate_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type locate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type locate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B locate_var_lib_t
@@ -42028,6 +45180,22 @@ index 0000000..2b21e64
+ /var/lib/[sm]locate(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the locate_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the locate_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -42049,19 +45217,46 @@ index 0000000..2b21e64
+selinux(8), locate(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lockdev_selinux.8 b/man/man8/lockdev_selinux.8
new file mode 100644
-index 0000000..4f3619b
+index 0000000..99e7812
--- /dev/null
+++ b/man/man8/lockdev_selinux.8
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,100 @@
+.TH "lockdev_selinux" "8" "lockdev" "dwalsh at redhat.com" "lockdev SELinux Policy documentation"
+.SH "NAME"
+lockdev_selinux \- Security Enhanced Linux Policy for the lockdev processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the lockdev processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the lockdev processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The lockdev processes execute with the lockdev_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lockdev_t
++
++
++.SH "ENTRYPOINTS"
++
++The lockdev_t SELinux type can be entered via the "lockdev_exec_t" file type. The default entrypoint paths for the lockdev_t domain are the following:"
++
++/usr/sbin/lockdev
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lockdev policy is very flexible allowing users to setup their lockdev processes in as secure a method as possible.
++.PP
++The following process types are defined for lockdev:
++
++.EX
++.B lockdev_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -42097,32 +45292,16 @@ index 0000000..4f3619b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lockdev policy is very flexible allowing users to setup their lockdev processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lockdev:
-+
-+.EX
-+.B lockdev_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type lockdev_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type lockdev_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B lockdev_lock_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -42144,7 +45323,7 @@ index 0000000..4f3619b
+selinux(8), lockdev(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/logadm_selinux.8 b/man/man8/logadm_selinux.8
new file mode 100644
-index 0000000..7e4c998
+index 0000000..6cbdeaf
--- /dev/null
+++ b/man/man8/logadm_selinux.8
@@ -0,0 +1,159 @@
@@ -42192,7 +45371,7 @@ index 0000000..7e4c998
+
+.SH "MANAGED FILES"
+
-+The SELinux user type logadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type logadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auditd_etc_t
@@ -42309,33 +45488,46 @@ index 0000000..7e4c998
+selinux(8), logadm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/logrotate_selinux.8 b/man/man8/logrotate_selinux.8
new file mode 100644
-index 0000000..66869e4
+index 0000000..7f9f90d
--- /dev/null
+++ b/man/man8/logrotate_selinux.8
-@@ -0,0 +1,189 @@
+@@ -0,0 +1,200 @@
+.TH "logrotate_selinux" "8" "logrotate" "dwalsh at redhat.com" "logrotate SELinux Policy documentation"
+.SH "NAME"
+logrotate_selinux \- Security Enhanced Linux Policy for the logrotate processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the logrotate processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the logrotate processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The logrotate processes execute with the logrotate_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logrotate_t, logrotate_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep logrotate_t
++
++
++.SH "ENTRYPOINTS"
++
++The logrotate_t SELinux type can be entered via the "logrotate_exec_t" file type. The default entrypoint paths for the logrotate_t domain are the following:"
+
++/usr/sbin/logrotate, /etc/cron\.(daily|weekly)/sysklogd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the logrotate_t, logrotate_mail_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux logrotate policy is very flexible allowing users to setup their logrotate processes in as secure a method as possible.
++.PP
++The following process types are defined for logrotate:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B logrotate_t, logrotate_mail_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -42399,27 +45591,9 @@ index 0000000..66869e4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux logrotate policy is very flexible allowing users to setup their logrotate processes in as secure a method as possible.
-+.PP
-+The following process types are defined for logrotate:
-+
-+.EX
-+.B logrotate_t, logrotate_mail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type logrotate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type logrotate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B abrt_var_cache_t
@@ -42483,6 +45657,22 @@ index 0000000..66869e4
+ /var/spool(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logrotate_t, logrotate_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the logrotate_t, logrotate_mail_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -42504,33 +45694,46 @@ index 0000000..66869e4
+selinux(8), logrotate(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/logwatch_selinux.8 b/man/man8/logwatch_selinux.8
new file mode 100644
-index 0000000..751ce93
+index 0000000..00dabce
--- /dev/null
+++ b/man/man8/logwatch_selinux.8
-@@ -0,0 +1,165 @@
+@@ -0,0 +1,176 @@
+.TH "logwatch_selinux" "8" "logwatch" "dwalsh at redhat.com" "logwatch SELinux Policy documentation"
+.SH "NAME"
+logwatch_selinux \- Security Enhanced Linux Policy for the logwatch processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the logwatch processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the logwatch processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The logwatch processes execute with the logwatch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logwatch_mail_t, logwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep logwatch_t
+
++
++.SH "ENTRYPOINTS"
++
++The logwatch_t SELinux type can be entered via the "logwatch_exec_t" file type. The default entrypoint paths for the logwatch_t domain are the following:"
++
++/usr/sbin/logcheck, /usr/sbin/epylog, /usr/share/logwatch/scripts/logwatch\.pl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the logwatch_mail_t, logwatch_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux logwatch policy is very flexible allowing users to setup their logwatch processes in as secure a method as possible.
++.PP
++The following process types are defined for logwatch:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B logwatch_t, logwatch_mail_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -42606,27 +45809,9 @@ index 0000000..751ce93
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux logwatch policy is very flexible allowing users to setup their logwatch processes in as secure a method as possible.
-+.PP
-+The following process types are defined for logwatch:
-+
-+.EX
-+.B logwatch_t, logwatch_mail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type logwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type logwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B logwatch_cache_t
@@ -42654,6 +45839,22 @@ index 0000000..751ce93
+ /var/run/epylog\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logwatch_mail_t, logwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the logwatch_mail_t, logwatch_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -42675,43 +45876,56 @@ index 0000000..751ce93
+selinux(8), logwatch(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lpd_selinux.8 b/man/man8/lpd_selinux.8
new file mode 100644
-index 0000000..41f5cbc
+index 0000000..e0ad0a8
--- /dev/null
+++ b/man/man8/lpd_selinux.8
-@@ -0,0 +1,148 @@
+@@ -0,0 +1,159 @@
+.TH "lpd_selinux" "8" "lpd" "dwalsh at redhat.com" "lpd SELinux Policy documentation"
+.SH "NAME"
+lpd_selinux \- Security Enhanced Linux Policy for the lpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the lpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the lpd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. lpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lpd with the tightest access possible.
++The lpd processes execute with the lpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to use lpd server instead of cups, you must turn on the use_lpd_server boolean.
++.B ps -eZ | grep lpd_t
+
-+.EX
-+.B setsebool -P use_lpd_server 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The lpd_t SELinux type can be entered via the "lpd_exec_t" file type. The default entrypoint paths for the lpd_t domain are the following:"
+
++/usr/sbin/lpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lpd policy is very flexible allowing users to setup their lpd processes in as secure a method as possible.
++.PP
++The following process types are defined for lpd:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B lpd_t, lpr_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. lpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lpd with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean.
++If you want to use lpd server instead of cups, you must turn on the use_lpd_server boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P use_lpd_server 1
+.EE
+
+.SH FILE CONTEXTS
@@ -42760,27 +45974,9 @@ index 0000000..41f5cbc
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lpd policy is very flexible allowing users to setup their lpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lpd:
-+
-+.EX
-+.B lpd_t, lpr_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type lpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type lpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B lpd_tmp_t
@@ -42804,6 +46000,22 @@ index 0000000..41f5cbc
+ /var/spool/cups-pdf(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -42830,33 +46042,46 @@ index 0000000..41f5cbc
\ No newline at end of file
diff --git a/man/man8/lpr_selinux.8 b/man/man8/lpr_selinux.8
new file mode 100644
-index 0000000..3b5cab5
+index 0000000..aee6456
--- /dev/null
+++ b/man/man8/lpr_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,114 @@
+.TH "lpr_selinux" "8" "lpr" "dwalsh at redhat.com" "lpr SELinux Policy documentation"
+.SH "NAME"
+lpr_selinux \- Security Enhanced Linux Policy for the lpr processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the lpr processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the lpr processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The lpr processes execute with the lpr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep lpr_t
++
++
++.SH "ENTRYPOINTS"
++
++The lpr_t SELinux type can be entered via the "lpr_exec_t" file type. The default entrypoint paths for the lpr_t domain are the following:"
+
++/usr/sbin/accept, /opt/gutenprint/s?bin(/.*)?, /usr/bin/cancel(\.cups)?, /usr/bin/lp(\.cups)?, /usr/bin/lpstat(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/bin/lpoptions, /usr/bin/lpq(\.cups)?, /usr/sbin/lpadmin, /usr/sbin/lpinfo, /usr/bin/lpr(\.cups)?, /usr/sbin/lpmove, /usr/bin/lprm(\.cups)?, /usr/linuxprinter/bin/l?lpr
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lpr policy is very flexible allowing users to setup their lpr processes in as secure a method as possible.
++.PP
++The following process types are defined for lpr:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B lpr_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -42896,27 +46121,25 @@ index 0000000..3b5cab5
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type lpr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lpr policy is very flexible allowing users to setup their lpr processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lpr:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B lpr_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type lpr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -42939,19 +46162,46 @@ index 0000000..3b5cab5
+selinux(8), lpr(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lsassd_selinux.8 b/man/man8/lsassd_selinux.8
new file mode 100644
-index 0000000..cce57f9
+index 0000000..d9e98e3
--- /dev/null
+++ b/man/man8/lsassd_selinux.8
-@@ -0,0 +1,251 @@
+@@ -0,0 +1,266 @@
+.TH "lsassd_selinux" "8" "lsassd" "dwalsh at redhat.com" "lsassd SELinux Policy documentation"
+.SH "NAME"
+lsassd_selinux \- Security Enhanced Linux Policy for the lsassd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the lsassd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the lsassd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The lsassd processes execute with the lsassd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lsassd_t
++
++
++.SH "ENTRYPOINTS"
++
++The lsassd_t SELinux type can be entered via the "lsassd_exec_t" file type. The default entrypoint paths for the lsassd_t domain are the following:"
++
++/usr/sbin/lsassd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lsassd policy is very flexible allowing users to setup their lsassd processes in as secure a method as possible.
++.PP
++The following process types are defined for lsassd:
++
++.EX
++.B lsassd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -43019,27 +46269,9 @@ index 0000000..cce57f9
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lsassd policy is very flexible allowing users to setup their lsassd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lsassd:
-+
-+.EX
-+.B lsassd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type lsassd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type lsassd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_runtime_t
@@ -43174,6 +46406,12 @@ index 0000000..cce57f9
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -43196,19 +46434,46 @@ index 0000000..cce57f9
+selinux(8), lsassd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lvm_selinux.8 b/man/man8/lvm_selinux.8
new file mode 100644
-index 0000000..1319a4b
+index 0000000..ff7e62b
--- /dev/null
+++ b/man/man8/lvm_selinux.8
-@@ -0,0 +1,239 @@
+@@ -0,0 +1,250 @@
+.TH "lvm_selinux" "8" "lvm" "dwalsh at redhat.com" "lvm SELinux Policy documentation"
+.SH "NAME"
+lvm_selinux \- Security Enhanced Linux Policy for the lvm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the lvm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the lvm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The lvm processes execute with the lvm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lvm_t
++
++
++.SH "ENTRYPOINTS"
++
++The lvm_t SELinux type can be entered via the "lvm_exec_t" file type. The default entrypoint paths for the lvm_t domain are the following:"
++
++/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgscan\.static, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /usr/lib/lvm-10/.*, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/pvs, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /sbin/multipath\.static, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/lvmiopversion, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvscan, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgremove, /sbin/vgscan, /sbin/vgsplit, /lib/lvm-200/.*, /usr/sbin/lvremove, /sbin/vgmerge, /usr/sbin/vgchange\.static, /sbin/pvcreate, /usr/sbin/lvm, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /usr/sbin/lvmetad, /sbin/vgchange, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvcreate, /usr/sbin/vgextend, /sbin/lvextend, /usr/lib/udev/udisks-lvm-pv-expo
rt, /sbin/vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /usr/sbin/vgmknodes, /sbin/lvmetad, /sbin/lvmiopversion, /usr/sbin/pvdisplay, /usr/sbin/vgremove, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/pvs, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /usr/sbin/vgwrapper, /sbin/vgreduce, /usr/sbin/lvreduce, /sbin/lvrename, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /usr/sbin/multipath\.static, /sbin/vgexport, /usr/sbin/lvchange, /sbin/l
vs, /usr/sbin/lvmsar, /usr/sbin/e2fsadm, /usr/sbin/vgchange, /sbin/kpartx, /usr/sbin/vgsplit, /lib/lvm-10/.*, /sbin/lvscan, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/vgdisplay, /usr/sbin/dmeventd, /sbin/lvremove, /usr/sbin/pvremove
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lvm policy is very flexible allowing users to setup their lvm processes in as secure a method as possible.
++.PP
++The following process types are defined for lvm:
++
++.EX
++.B lvm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -43300,27 +46565,9 @@ index 0000000..1319a4b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lvm policy is very flexible allowing users to setup their lvm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lvm:
-+
-+.EX
-+.B lvm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type lvm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type lvm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -43420,6 +46667,8 @@ index 0000000..1319a4b
+ all virtual image files
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -43441,19 +46690,46 @@ index 0000000..1319a4b
+selinux(8), lvm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lwiod_selinux.8 b/man/man8/lwiod_selinux.8
new file mode 100644
-index 0000000..52d1bca
+index 0000000..4ada3d8
--- /dev/null
+++ b/man/man8/lwiod_selinux.8
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,128 @@
+.TH "lwiod_selinux" "8" "lwiod" "dwalsh at redhat.com" "lwiod SELinux Policy documentation"
+.SH "NAME"
+lwiod_selinux \- Security Enhanced Linux Policy for the lwiod processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the lwiod processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the lwiod processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The lwiod processes execute with the lwiod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lwiod_t
++
++
++.SH "ENTRYPOINTS"
++
++The lwiod_t SELinux type can be entered via the "lwiod_exec_t" file type. The default entrypoint paths for the lwiod_t domain are the following:"
++
++/usr/sbin/lwiod
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lwiod policy is very flexible allowing users to setup their lwiod processes in as secure a method as possible.
++.PP
++The following process types are defined for lwiod:
++
++.EX
++.B lwiod_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -43505,27 +46781,9 @@ index 0000000..52d1bca
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lwiod policy is very flexible allowing users to setup their lwiod processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lwiod:
-+
-+.EX
-+.B lwiod_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type lwiod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type lwiod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B krb5_conf_t
@@ -43543,6 +46801,8 @@ index 0000000..52d1bca
+ /var/run/lwiod.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -43564,19 +46824,46 @@ index 0000000..52d1bca
+selinux(8), lwiod(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lwregd_selinux.8 b/man/man8/lwregd_selinux.8
new file mode 100644
-index 0000000..54bbf09
+index 0000000..a626588
--- /dev/null
+++ b/man/man8/lwregd_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,130 @@
+.TH "lwregd_selinux" "8" "lwregd" "dwalsh at redhat.com" "lwregd SELinux Policy documentation"
+.SH "NAME"
+lwregd_selinux \- Security Enhanced Linux Policy for the lwregd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the lwregd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the lwregd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The lwregd processes execute with the lwregd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lwregd_t
++
++
++.SH "ENTRYPOINTS"
++
++The lwregd_t SELinux type can be entered via the "lwregd_exec_t" file type. The default entrypoint paths for the lwregd_t domain are the following:"
++
++/usr/sbin/lwregd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lwregd policy is very flexible allowing users to setup their lwregd processes in as secure a method as possible.
++.PP
++The following process types are defined for lwregd:
++
++.EX
++.B lwregd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -43632,27 +46919,9 @@ index 0000000..54bbf09
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lwregd policy is very flexible allowing users to setup their lwregd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lwregd:
-+
-+.EX
-+.B lwregd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type lwregd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type lwregd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B lwregd_var_lib_t
@@ -43668,6 +46937,8 @@ index 0000000..54bbf09
+ /var/run/lwregd.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -43689,19 +46960,46 @@ index 0000000..54bbf09
+selinux(8), lwregd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lwsmd_selinux.8 b/man/man8/lwsmd_selinux.8
new file mode 100644
-index 0000000..070a9a1
+index 0000000..3d0bdcc
--- /dev/null
+++ b/man/man8/lwsmd_selinux.8
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,120 @@
+.TH "lwsmd_selinux" "8" "lwsmd" "dwalsh at redhat.com" "lwsmd SELinux Policy documentation"
+.SH "NAME"
+lwsmd_selinux \- Security Enhanced Linux Policy for the lwsmd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the lwsmd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the lwsmd processes via flexible mandatory access control.
++
++The lwsmd processes execute with the lwsmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep lwsmd_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The lwsmd_t SELinux type can be entered via the "lwsmd_exec_t" file type. The default entrypoint paths for the lwsmd_t domain are the following:"
++
++/usr/sbin/lwsmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux lwsmd policy is very flexible allowing users to setup their lwsmd processes in as secure a method as possible.
++.PP
++The following process types are defined for lwsmd:
++
++.EX
++.B lwsmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -43753,27 +47051,9 @@ index 0000000..070a9a1
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux lwsmd policy is very flexible allowing users to setup their lwsmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for lwsmd:
-+
-+.EX
-+.B lwsmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type lwsmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type lwsmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B lwsmd_var_lib_t
@@ -43783,6 +47063,8 @@ index 0000000..070a9a1
+.B lwsmd_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -43804,19 +47086,46 @@ index 0000000..070a9a1
+selinux(8), lwsmd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/mail_munin_plugin_selinux.8 b/man/man8/mail_munin_plugin_selinux.8
new file mode 100644
-index 0000000..c713a37
+index 0000000..17f70b0
--- /dev/null
+++ b/man/man8/mail_munin_plugin_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,117 @@
+.TH "mail_munin_plugin_selinux" "8" "mail_munin_plugin" "dwalsh at redhat.com" "mail_munin_plugin SELinux Policy documentation"
+.SH "NAME"
+mail_munin_plugin_selinux \- Security Enhanced Linux Policy for the mail_munin_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mail_munin_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mail_munin_plugin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mail_munin_plugin processes execute with the mail_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mail_munin_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The mail_munin_plugin_t SELinux type can be entered via the "mail_munin_plugin_exec_t" file type. The default entrypoint paths for the mail_munin_plugin_t domain are the following:"
++
++/usr/share/munin/plugins/postfix_mail.*, /usr/share/munin/plugins/mailscanner, /usr/share/munin/plugins/courier_mta_.*, /usr/share/munin/plugins/mailman, /usr/share/munin/plugins/exim_mail.*, /usr/share/munin/plugins/qmail.*, /usr/share/munin/plugins/sendmail_.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mail_munin_plugin policy is very flexible allowing users to setup their mail_munin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for mail_munin_plugin:
++
++.EX
++.B mail_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -43856,27 +47165,9 @@ index 0000000..c713a37
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mail_munin_plugin policy is very flexible allowing users to setup their mail_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mail_munin_plugin:
-+
-+.EX
-+.B mail_munin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mail_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mail_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mail_munin_plugin_tmp_t
@@ -43894,6 +47185,8 @@ index 0000000..c713a37
+ /var/lib/munin(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -43913,35 +47206,50 @@ index 0000000..c713a37
+
+.SH "SEE ALSO"
+selinux(8), mail_munin_plugin(8), semanage(8), restorecon(8), chcon(1)
++, mailman_cgi_selinux(8), mailman_mail_selinux(8), mailman_queue_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/mailman_cgi_selinux.8 b/man/man8/mailman_cgi_selinux.8
new file mode 100644
-index 0000000..0ad7230
+index 0000000..91bfefc
--- /dev/null
+++ b/man/man8/mailman_cgi_selinux.8
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,143 @@
+.TH "mailman_cgi_selinux" "8" "mailman_cgi" "dwalsh at redhat.com" "mailman_cgi SELinux Policy documentation"
+.SH "NAME"
+mailman_cgi_selinux \- Security Enhanced Linux Policy for the mailman_cgi processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mailman_cgi processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mailman_cgi processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mailman_cgi processes execute with the mailman_cgi_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_cgi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep mailman_cgi_t
+
++
++.SH "ENTRYPOINTS"
++
++The mailman_cgi_t SELinux type can be entered via the "mailman_cgi_exec_t" file type. The default entrypoint paths for the mailman_cgi_t domain are the following:"
++
++/usr/lib/mailman.*/cgi-bin/.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the mailman_cgi_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mailman_cgi policy is very flexible allowing users to setup their mailman_cgi processes in as secure a method as possible.
++.PP
++The following process types are defined for mailman_cgi:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B mailman_cgi_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -43977,27 +47285,9 @@ index 0000000..0ad7230
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mailman_cgi policy is very flexible allowing users to setup their mailman_cgi processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mailman_cgi:
-+
-+.EX
-+.B mailman_cgi_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mailman_cgi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mailman_cgi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mailman_archive_t
@@ -44031,6 +47321,22 @@ index 0000000..0ad7230
+ /var/log/mailman.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_cgi_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mailman_cgi_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -44050,35 +47356,50 @@ index 0000000..0ad7230
+
+.SH "SEE ALSO"
+selinux(8), mailman_cgi(8), semanage(8), restorecon(8), chcon(1)
++, mailman_mail_selinux(8), mailman_queue_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/mailman_mail_selinux.8 b/man/man8/mailman_mail_selinux.8
new file mode 100644
-index 0000000..6479b3b
+index 0000000..2b83674
--- /dev/null
+++ b/man/man8/mailman_mail_selinux.8
-@@ -0,0 +1,145 @@
+@@ -0,0 +1,157 @@
+.TH "mailman_mail_selinux" "8" "mailman_mail" "dwalsh at redhat.com" "mailman_mail SELinux Policy documentation"
+.SH "NAME"
+mailman_mail_selinux \- Security Enhanced Linux Policy for the mailman_mail processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mailman_mail processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mailman_mail processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mailman_mail processes execute with the mailman_mail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep mailman_mail_t
+
++
++.SH "ENTRYPOINTS"
++
++The mailman_mail_t SELinux type can be entered via the "mailman_mail_exec_t" file type. The default entrypoint paths for the mailman_mail_t domain are the following:"
++
++/usr/lib/mailman.*/mail/mailman, /usr/lib/mailman.*/bin/mm-handler.*, /usr/share/doc/mailman.*/mm-handler.*, /usr/lib/mailman.*/bin/mailmanctl, /usr/lib/mailman.*/scripts/mailman
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the mailman_mail_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mailman_mail policy is very flexible allowing users to setup their mailman_mail processes in as secure a method as possible.
++.PP
++The following process types are defined for mailman_mail:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B mailman_mail_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -44118,27 +47439,9 @@ index 0000000..6479b3b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mailman_mail policy is very flexible allowing users to setup their mailman_mail processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mailman_mail:
-+
-+.EX
-+.B mailman_mail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mailman_mail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mailman_mail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -44182,6 +47485,22 @@ index 0000000..6479b3b
+ /var/run/mailman.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mailman_mail_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -44201,35 +47520,50 @@ index 0000000..6479b3b
+
+.SH "SEE ALSO"
+selinux(8), mailman_mail(8), semanage(8), restorecon(8), chcon(1)
++, mailman_cgi_selinux(8), mailman_queue_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/mailman_queue_selinux.8 b/man/man8/mailman_queue_selinux.8
new file mode 100644
-index 0000000..136c141
+index 0000000..1640bf2
--- /dev/null
+++ b/man/man8/mailman_queue_selinux.8
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,173 @@
+.TH "mailman_queue_selinux" "8" "mailman_queue" "dwalsh at redhat.com" "mailman_queue SELinux Policy documentation"
+.SH "NAME"
+mailman_queue_selinux \- Security Enhanced Linux Policy for the mailman_queue processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mailman_queue processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mailman_queue processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mailman_queue processes execute with the mailman_queue_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_queue_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep mailman_queue_t
++
++
++.SH "ENTRYPOINTS"
++
++The mailman_queue_t SELinux type can be entered via the "mailman_queue_exec_t" file type. The default entrypoint paths for the mailman_queue_t domain are the following:"
+
++/usr/lib/mailman.*/cron/.*, /usr/lib/mailman.*/bin/qrunner
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the mailman_queue_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mailman_queue policy is very flexible allowing users to setup their mailman_queue processes in as secure a method as possible.
++.PP
++The following process types are defined for mailman_queue:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B mailman_queue_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -44269,27 +47603,9 @@ index 0000000..136c141
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mailman_queue policy is very flexible allowing users to setup their mailman_queue processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mailman_queue:
-+
-+.EX
-+.B mailman_queue_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mailman_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mailman_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -44349,6 +47665,22 @@ index 0000000..136c141
+ /var/run/pcscd\.comm
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_queue_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mailman_queue_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -44368,21 +47700,50 @@ index 0000000..136c141
+
+.SH "SEE ALSO"
+selinux(8), mailman_queue(8), semanage(8), restorecon(8), chcon(1)
++, mailman_cgi_selinux(8), mailman_mail_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/mcelog_selinux.8 b/man/man8/mcelog_selinux.8
new file mode 100644
-index 0000000..1c3f6d3
+index 0000000..eac4c72
--- /dev/null
+++ b/man/man8/mcelog_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "mcelog_selinux" "8" "mcelog" "dwalsh at redhat.com" "mcelog SELinux Policy documentation"
+.SH "NAME"
+mcelog_selinux \- Security Enhanced Linux Policy for the mcelog processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mcelog processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mcelog processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mcelog processes execute with the mcelog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mcelog_t
++
++
++.SH "ENTRYPOINTS"
++
++The mcelog_t SELinux type can be entered via the "mcelog_exec_t" file type. The default entrypoint paths for the mcelog_t domain are the following:"
++
++/usr/sbin/mcelog
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mcelog policy is very flexible allowing users to setup their mcelog processes in as secure a method as possible.
++.PP
++The following process types are defined for mcelog:
++
++.EX
++.B mcelog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -44426,27 +47787,9 @@ index 0000000..1c3f6d3
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mcelog policy is very flexible allowing users to setup their mcelog processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mcelog:
-+
-+.EX
-+.B mcelog_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mcelog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mcelog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mcelog_log_t
@@ -44466,6 +47809,8 @@ index 0000000..1c3f6d3
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -44487,33 +47832,46 @@ index 0000000..1c3f6d3
+selinux(8), mcelog(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/mdadm_selinux.8 b/man/man8/mdadm_selinux.8
new file mode 100644
-index 0000000..4bea026
+index 0000000..5a26cad
--- /dev/null
+++ b/man/man8/mdadm_selinux.8
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,134 @@
+.TH "mdadm_selinux" "8" "mdadm" "dwalsh at redhat.com" "mdadm SELinux Policy documentation"
+.SH "NAME"
+mdadm_selinux \- Security Enhanced Linux Policy for the mdadm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mdadm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mdadm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mdadm processes execute with the mdadm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mdadm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep mdadm_t
++
++
++.SH "ENTRYPOINTS"
+
++The mdadm_t SELinux type can be entered via the "mdadm_exec_t" file type. The default entrypoint paths for the mdadm_t domain are the following:"
++
++/usr/sbin/raid-check, /sbin/mdmpd, /usr/sbin/iprinit, /usr/sbin/mdadm, /usr/sbin/iprupdate, /sbin/mdadm, /usr/sbin/mdmpd, /usr/sbin/iprdump
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the mdadm_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mdadm policy is very flexible allowing users to setup their mdadm processes in as secure a method as possible.
++.PP
++The following process types are defined for mdadm:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B mdadm_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -44557,27 +47915,9 @@ index 0000000..4bea026
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mdadm policy is very flexible allowing users to setup their mdadm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mdadm:
-+
-+.EX
-+.B mdadm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mdadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mdadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mdadm_var_run_t
@@ -44595,6 +47935,22 @@ index 0000000..4bea026
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mdadm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mdadm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -44616,43 +47972,56 @@ index 0000000..4bea026
+selinux(8), mdadm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/memcached_selinux.8 b/man/man8/memcached_selinux.8
new file mode 100644
-index 0000000..d61e282
+index 0000000..59f6f76
--- /dev/null
+++ b/man/man8/memcached_selinux.8
-@@ -0,0 +1,162 @@
+@@ -0,0 +1,173 @@
+.TH "memcached_selinux" "8" "memcached" "dwalsh at redhat.com" "memcached SELinux Policy documentation"
+.SH "NAME"
+memcached_selinux \- Security Enhanced Linux Policy for the memcached processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the memcached processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the memcached processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. memcached policy is extremely flexible and has several booleans that allow you to manipulate the policy and run memcached with the tightest access possible.
++The memcached processes execute with the memcached_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
++.B ps -eZ | grep memcached_t
+
-+.EX
-+.B setsebool -P httpd_can_network_memcache 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The memcached_t SELinux type can be entered via the "memcached_exec_t" file type. The default entrypoint paths for the memcached_t domain are the following:"
++
++/usr/bin/memcached
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the memcached_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible.
++.PP
++The following process types are defined for memcached:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B memcached_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. memcached policy is extremely flexible and has several booleans that allow you to manipulate the policy and run memcached with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the memcached_t, you must turn on the kerberos_enabled boolean.
++If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P httpd_can_network_memcache 1
+.EE
+
+.SH FILE CONTEXTS
@@ -44726,27 +48095,9 @@ index 0000000..d61e282
+.EE
+udp 11211
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible.
-+.PP
-+The following process types are defined for memcached:
-+
-+.EX
-+.B memcached_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type memcached_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type memcached_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B memcached_var_run_t
@@ -44756,6 +48107,22 @@ index 0000000..d61e282
+ /var/run/ipa_memcached(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the memcached_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the memcached_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -44785,19 +48152,46 @@ index 0000000..d61e282
\ No newline at end of file
diff --git a/man/man8/mencoder_selinux.8 b/man/man8/mencoder_selinux.8
new file mode 100644
-index 0000000..eecaa32
+index 0000000..ae09edd
--- /dev/null
+++ b/man/man8/mencoder_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,98 @@
+.TH "mencoder_selinux" "8" "mencoder" "dwalsh at redhat.com" "mencoder SELinux Policy documentation"
+.SH "NAME"
+mencoder_selinux \- Security Enhanced Linux Policy for the mencoder processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mencoder processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mencoder processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mencoder processes execute with the mencoder_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mencoder_t
++
++
++.SH "ENTRYPOINTS"
++
++The mencoder_t SELinux type can be entered via the "mencoder_exec_t" file type. The default entrypoint paths for the mencoder_t domain are the following:"
++
++/usr/bin/mencoder
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mencoder policy is very flexible allowing users to setup their mencoder processes in as secure a method as possible.
++.PP
++The following process types are defined for mencoder:
++
++.EX
++.B mencoder_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -44825,33 +48219,21 @@ index 0000000..eecaa32
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mencoder policy is very flexible allowing users to setup their mencoder processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mencoder:
-+
-+.EX
-+.B mencoder_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mencoder_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mencoder_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mplayer_home_t
+
+ /home/[^/]*/\.mplayer(/.*)?
+.br
++ /home/dwalsh/\.mplayer(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mplayer(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -44874,33 +48256,46 @@ index 0000000..eecaa32
+selinux(8), mencoder(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/mock_build_selinux.8 b/man/man8/mock_build_selinux.8
new file mode 100644
-index 0000000..d2d104c
+index 0000000..39884f3
--- /dev/null
+++ b/man/man8/mock_build_selinux.8
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,127 @@
+.TH "mock_build_selinux" "8" "mock_build" "dwalsh at redhat.com" "mock_build SELinux Policy documentation"
+.SH "NAME"
+mock_build_selinux \- Security Enhanced Linux Policy for the mock_build processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mock_build processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mock_build processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mock_build processes execute with the mock_build_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep mock_build_t
+
++
++.SH "ENTRYPOINTS"
++
++The mock_build_t SELinux type can be entered via the "mock_var_lib_t,mock_build_exec_t,mock_tmp_t" file types. The default entrypoint paths for the mock_build_t domain are the following:"
++
++/var/lib/mock(/.*)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the mock_build_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mock_build policy is very flexible allowing users to setup their mock_build processes in as secure a method as possible.
++.PP
++The following process types are defined for mock_build:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B mock_build_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -44928,27 +48323,9 @@ index 0000000..d2d104c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mock_build policy is very flexible allowing users to setup their mock_build processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mock_build:
-+
-+.EX
-+.B mock_build_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mock_build_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mock_build_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mock_cache_t
@@ -44974,6 +48351,22 @@ index 0000000..d2d104c
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mock_build_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -44993,47 +48386,60 @@ index 0000000..d2d104c
+
+.SH "SEE ALSO"
+selinux(8), mock_build(8), semanage(8), restorecon(8), chcon(1)
-+, mock_selinux(8)
++, mock_selinux(8), mock_selinux(8)
\ No newline at end of file
diff --git a/man/man8/mock_selinux.8 b/man/man8/mock_selinux.8
new file mode 100644
-index 0000000..8125ba7
+index 0000000..8578fa1
--- /dev/null
+++ b/man/man8/mock_selinux.8
-@@ -0,0 +1,170 @@
+@@ -0,0 +1,181 @@
+.TH "mock_selinux" "8" "mock" "dwalsh at redhat.com" "mock SELinux Policy documentation"
+.SH "NAME"
+mock_selinux \- Security Enhanced Linux Policy for the mock processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mock processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mock processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mock with the tightest access possible.
++The mock processes execute with the mock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow mock to read files in home directories, you must turn on the mock_enable_homedirs boolean.
++.B ps -eZ | grep mock_t
+
-+.EX
-+.B setsebool -P mock_enable_homedirs 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The mock_t SELinux type can be entered via the "mock_exec_t" file type. The default entrypoint paths for the mock_t domain are the following:"
++
++/usr/sbin/mock
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mock_t, mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mock policy is very flexible allowing users to setup their mock processes in as secure a method as possible.
++.PP
++The following process types are defined for mock:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B mock_t, mock_build_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mock with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the mock_t, mock_build_t, you must turn on the kerberos_enabled boolean.
++If you want to allow mock to read files in home directories, you must turn on the mock_enable_homedirs boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P mock_enable_homedirs 1
+.EE
+
+.SH FILE CONTEXTS
@@ -45102,27 +48508,9 @@ index 0000000..8125ba7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mock policy is very flexible allowing users to setup their mock processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mock:
-+
-+.EX
-+.B mock_t, mock_build_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mock_cache_t
@@ -45148,6 +48536,22 @@ index 0000000..8125ba7
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mock_t, mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mock_t, mock_build_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -45174,19 +48578,46 @@ index 0000000..8125ba7
\ No newline at end of file
diff --git a/man/man8/modemmanager_selinux.8 b/man/man8/modemmanager_selinux.8
new file mode 100644
-index 0000000..9c7427c
+index 0000000..2b380b7
--- /dev/null
+++ b/man/man8/modemmanager_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,88 @@
+.TH "modemmanager_selinux" "8" "modemmanager" "dwalsh at redhat.com" "modemmanager SELinux Policy documentation"
+.SH "NAME"
+modemmanager_selinux \- Security Enhanced Linux Policy for the modemmanager processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the modemmanager processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the modemmanager processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The modemmanager processes execute with the modemmanager_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep modemmanager_t
++
++
++.SH "ENTRYPOINTS"
++
++The modemmanager_t SELinux type can be entered via the "modemmanager_exec_t" file type. The default entrypoint paths for the modemmanager_t domain are the following:"
++
++/usr/sbin/modem-manager
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux modemmanager policy is very flexible allowing users to setup their modemmanager processes in as secure a method as possible.
++.PP
++The following process types are defined for modemmanager:
++
++.EX
++.B modemmanager_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -45214,27 +48645,11 @@ index 0000000..9c7427c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux modemmanager policy is very flexible allowing users to setup their modemmanager processes in as secure a method as possible.
-+.PP
-+The following process types are defined for modemmanager:
-+
-+.EX
-+.B modemmanager_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type modemmanager_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type modemmanager_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -45257,19 +48672,46 @@ index 0000000..9c7427c
+selinux(8), modemmanager(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/mongod_selinux.8 b/man/man8/mongod_selinux.8
new file mode 100644
-index 0000000..53f1b03
+index 0000000..80552d2
--- /dev/null
+++ b/man/man8/mongod_selinux.8
-@@ -0,0 +1,181 @@
+@@ -0,0 +1,196 @@
+.TH "mongod_selinux" "8" "mongod" "dwalsh at redhat.com" "mongod SELinux Policy documentation"
+.SH "NAME"
+mongod_selinux \- Security Enhanced Linux Policy for the mongod processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mongod processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mongod processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mongod processes execute with the mongod_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mongod_t
++
++
++.SH "ENTRYPOINTS"
++
++The mongod_t SELinux type can be entered via the "mongod_exec_t" file type. The default entrypoint paths for the mongod_t domain are the following:"
++
++/usr/bin/mongod, /usr/share/aeolus-conductor/dbomatic/dbomatic
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible.
++.PP
++The following process types are defined for mongod:
++
++.EX
++.B mongod_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -45312,7 +48754,7 @@ index 0000000..53f1b03
+.br
+.TP 5
+Paths:
-+/var/log/aeolus-conductor/dbomatic\.log.*, /var/log/mongodb(/.*)?
++/var/log/mongo/mongod\.log.*, /var/log/aeolus-conductor/dbomatic\.log.*, /var/log/mongodb(/.*)?, /var/log/mongo(/.*)?
+
+.EX
+.PP
@@ -45372,33 +48814,19 @@ index 0000000..53f1b03
+Default Defined Ports:
+tcp 27017
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mongod:
-+
-+.EX
-+.B mongod_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mongod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mongod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mongod_log_t
+
++ /var/log/mongo(/.*)?
++.br
+ /var/log/mongodb(/.*)?
+.br
++ /var/log/mongo/mongod\.log.*
++.br
+ /var/log/aeolus-conductor/dbomatic\.log.*
+.br
+
@@ -45420,6 +48848,8 @@ index 0000000..53f1b03
+ /var/run/aeolus/dbomatic\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -45444,33 +48874,46 @@ index 0000000..53f1b03
+selinux(8), mongod(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/mount_ecryptfs_selinux.8 b/man/man8/mount_ecryptfs_selinux.8
new file mode 100644
-index 0000000..0bd5e95
+index 0000000..a23a28f
--- /dev/null
+++ b/man/man8/mount_ecryptfs_selinux.8
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,127 @@
+.TH "mount_ecryptfs_selinux" "8" "mount_ecryptfs" "dwalsh at redhat.com" "mount_ecryptfs SELinux Policy documentation"
+.SH "NAME"
+mount_ecryptfs_selinux \- Security Enhanced Linux Policy for the mount_ecryptfs processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mount_ecryptfs processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mount_ecryptfs processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mount_ecryptfs processes execute with the mount_ecryptfs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep mount_ecryptfs_t
++
++
++.SH "ENTRYPOINTS"
+
++The mount_ecryptfs_t SELinux type can be entered via the "mount_ecryptfs_exec_t" file type. The default entrypoint paths for the mount_ecryptfs_t domain are the following:"
++
++/usr/sbin/mount\.ecryptfs_private, /usr/sbin/mount\.ecryptfs, /usr/sbin/umount\.ecryptfs, /usr/sbin/umount\.ecryptfs_private
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the mount_ecryptfs_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mount_ecryptfs policy is very flexible allowing users to setup their mount_ecryptfs processes in as secure a method as possible.
++.PP
++The following process types are defined for mount_ecryptfs:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B mount_ecryptfs_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -45510,27 +48953,9 @@ index 0000000..0bd5e95
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mount_ecryptfs policy is very flexible allowing users to setup their mount_ecryptfs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mount_ecryptfs:
-+
-+.EX
-+.B mount_ecryptfs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mount_ecryptfs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mount_ecryptfs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mount_ecryptfs_tmpfs_t
@@ -45544,6 +48969,22 @@ index 0000000..0bd5e95
+ /dev/shm/pulse-shm.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mount_ecryptfs_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -45563,54 +49004,67 @@ index 0000000..0bd5e95
+
+.SH "SEE ALSO"
+selinux(8), mount_ecryptfs(8), semanage(8), restorecon(8), chcon(1)
-+, mount_selinux(8)
++, mount_selinux(8), mount_selinux(8)
\ No newline at end of file
diff --git a/man/man8/mount_selinux.8 b/man/man8/mount_selinux.8
new file mode 100644
-index 0000000..8758c79
+index 0000000..ba6d166
--- /dev/null
+++ b/man/man8/mount_selinux.8
-@@ -0,0 +1,227 @@
+@@ -0,0 +1,238 @@
+.TH "mount_selinux" "8" "mount" "dwalsh at redhat.com" "mount SELinux Policy documentation"
+.SH "NAME"
+mount_selinux \- Security Enhanced Linux Policy for the mount processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mount processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mount processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mount policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mount with the tightest access possible.
++The mount processes execute with the mount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow the mount command to mount any directory or file, you must turn on the mount_anyfile boolean.
++.B ps -eZ | grep mount_t
+
-+.EX
-+.B setsebool -P mount_anyfile 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The mount_t SELinux type can be entered via the "mount_exec_t,fusermount_exec_t" file types. The default entrypoint paths for the mount_t domain are the following:"
++
++/sbin/mount.*, /usr/bin/umount.*, /usr/sbin/umount.*, /bin/umount.*, /sbin/umount.*, /usr/bin/mount.*, /bin/mount.*, /usr/sbin/mount.*, /usr/bin/fusermount, /bin/fusermount
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mount policy is very flexible allowing users to setup their mount processes in as secure a method as possible.
++.PP
++The following process types are defined for mount:
+
+.EX
-+.B setsebool -P xguest_mount_media 1
++.B mount_t, mount_ecryptfs_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mount policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mount with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mount_t, mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow the mount command to mount any directory or file, you must turn on the mount_anyfile boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P mount_anyfile 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the mount_t, mount_ecryptfs_t, you must turn on the kerberos_enabled boolean.
++If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P xguest_mount_media 1
+.EE
+
+.SH FILE CONTEXTS
@@ -45691,27 +49145,9 @@ index 0000000..8758c79
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mount policy is very flexible allowing users to setup their mount processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mount:
-+
-+.EX
-+.B mount_t, mount_ecryptfs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_runtime_t
@@ -45775,6 +49211,22 @@ index 0000000..8758c79
+.B non_security_file_type
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mount_t, mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mount_t, mount_ecryptfs_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -45801,33 +49253,46 @@ index 0000000..8758c79
\ No newline at end of file
diff --git a/man/man8/mozilla_plugin_config_selinux.8 b/man/man8/mozilla_plugin_config_selinux.8
new file mode 100644
-index 0000000..eab33ec
+index 0000000..079fa2d
--- /dev/null
+++ b/man/man8/mozilla_plugin_config_selinux.8
-@@ -0,0 +1,148 @@
+@@ -0,0 +1,231 @@
+.TH "mozilla_plugin_config_selinux" "8" "mozilla_plugin_config" "dwalsh at redhat.com" "mozilla_plugin_config SELinux Policy documentation"
+.SH "NAME"
+mozilla_plugin_config_selinux \- Security Enhanced Linux Policy for the mozilla_plugin_config processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mozilla_plugin_config processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mozilla_plugin_config processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mozilla_plugin_config processes execute with the mozilla_plugin_config_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep mozilla_plugin_config_t
+
++
++.SH "ENTRYPOINTS"
++
++The mozilla_plugin_config_t SELinux type can be entered via the "mozilla_plugin_config_exec_t" file type. The default entrypoint paths for the mozilla_plugin_config_t domain are the following:"
++
++/usr/lib/nspluginwrapper/plugin-config
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mozilla_plugin_config policy is very flexible allowing users to setup their mozilla_plugin_config processes in as secure a method as possible.
++.PP
++The following process types are defined for mozilla_plugin_config:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B mozilla_plugin_config_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -45855,27 +49320,9 @@ index 0000000..eab33ec
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mozilla_plugin_config policy is very flexible allowing users to setup their mozilla_plugin_config processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mozilla_plugin_config:
-+
-+.EX
-+.B mozilla_plugin_config_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mozilla_plugin_config_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mozilla_plugin_config_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mozilla_home_t
@@ -45910,6 +49357,66 @@ index 0000000..eab33ec
+.br
+ /home/[^/]*/\.config/chromium(/.*)?
+.br
++ /home/dwalsh/\.java(/.*)?
++.br
++ /home/dwalsh/\.adobe(/.*)?
++.br
++ /home/dwalsh/\.gnash(/.*)?
++.br
++ /home/dwalsh/\.galeon(/.*)?
++.br
++ /home/dwalsh/\.spicec(/.*)?
++.br
++ /home/dwalsh/\.mozilla(/.*)?
++.br
++ /home/dwalsh/\.phoenix(/.*)?
++.br
++ /home/dwalsh/\.netscape(/.*)?
++.br
++ /home/dwalsh/\.ICAClient(/.*)?
++.br
++ /home/dwalsh/\.macromedia(/.*)?
++.br
++ /home/dwalsh/\.thunderbird(/.*)?
++.br
++ /home/dwalsh/\.gcjwebplugin(/.*)?
++.br
++ /home/dwalsh/\.icedteaplugin(/.*)?
++.br
++ /home/dwalsh/zimbrauserdata(/.*)?
++.br
++ /home/dwalsh/\.config/chromium(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.java(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.adobe(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gnash(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.galeon(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spicec(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.netscape(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
++.br
+
+.br
+.B mozilla_plugin_rw_t
@@ -45932,6 +49439,34 @@ index 0000000..eab33ec
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -45952,21 +49487,50 @@ index 0000000..eab33ec
+
+.SH "SEE ALSO"
+selinux(8), mozilla_plugin_config(8), semanage(8), restorecon(8), chcon(1)
-+, mozilla_selinux(8), mozilla_plugin_selinux(8)
++, mozilla_selinux(8), mozilla_selinux(8), mozilla_plugin_selinux(8), mozilla_plugin_selinux(8)
\ No newline at end of file
diff --git a/man/man8/mozilla_plugin_selinux.8 b/man/man8/mozilla_plugin_selinux.8
new file mode 100644
-index 0000000..8ecc677
+index 0000000..8d73958
--- /dev/null
+++ b/man/man8/mozilla_plugin_selinux.8
-@@ -0,0 +1,254 @@
+@@ -0,0 +1,361 @@
+.TH "mozilla_plugin_selinux" "8" "mozilla_plugin" "dwalsh at redhat.com" "mozilla_plugin SELinux Policy documentation"
+.SH "NAME"
+mozilla_plugin_selinux \- Security Enhanced Linux Policy for the mozilla_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mozilla_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mozilla_plugin processes via flexible mandatory access control.
++
++The mozilla_plugin processes execute with the mozilla_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mozilla_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The mozilla_plugin_t SELinux type can be entered via the "mozilla_plugin_exec_t" file type. The default entrypoint paths for the mozilla_plugin_t domain are the following:"
++
++/usr/bin/nspluginscan, /usr/lib/nspluginwrapper/npviewer.bin, /usr/lib/xulrunner[^/]*/plugin-container, /usr/bin/nspluginviewer
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mozilla_plugin policy is very flexible allowing users to setup their mozilla_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for mozilla_plugin:
++
++.EX
++.B mozilla_plugin_config_t, mozilla_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. mozilla_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla_plugin with the tightest access possible.
@@ -45993,22 +49557,6 @@ index 0000000..8ecc677
+.B setsebool -P mozilla_plugin_can_network_connect 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -46071,27 +49619,9 @@ index 0000000..8ecc677
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mozilla_plugin policy is very flexible allowing users to setup their mozilla_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mozilla_plugin:
-+
-+.EX
-+.B mozilla_plugin_config_t, mozilla_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mozilla_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mozilla_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B gnome_home_type
@@ -46108,6 +49638,18 @@ index 0000000..8ecc677
+.br
+ /home/[^/]*/\.cert(/.*)?
+.br
++ /home/dwalsh/.kde/share/apps/networkmanagement/certificates(/.*)?
++.br
++ /home/dwalsh/\.pki(/.*)?
++.br
++ /home/dwalsh/\.cert(/.*)?
++.br
++ /var/lib/xguest/home/xguest/.kde/share/apps/networkmanagement/certificates(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.pki(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cert(/.*)?
++.br
+
+.br
+.B mozilla_home_t
@@ -46142,6 +49684,66 @@ index 0000000..8ecc677
+.br
+ /home/[^/]*/\.config/chromium(/.*)?
+.br
++ /home/dwalsh/\.java(/.*)?
++.br
++ /home/dwalsh/\.adobe(/.*)?
++.br
++ /home/dwalsh/\.gnash(/.*)?
++.br
++ /home/dwalsh/\.galeon(/.*)?
++.br
++ /home/dwalsh/\.spicec(/.*)?
++.br
++ /home/dwalsh/\.mozilla(/.*)?
++.br
++ /home/dwalsh/\.phoenix(/.*)?
++.br
++ /home/dwalsh/\.netscape(/.*)?
++.br
++ /home/dwalsh/\.ICAClient(/.*)?
++.br
++ /home/dwalsh/\.macromedia(/.*)?
++.br
++ /home/dwalsh/\.thunderbird(/.*)?
++.br
++ /home/dwalsh/\.gcjwebplugin(/.*)?
++.br
++ /home/dwalsh/\.icedteaplugin(/.*)?
++.br
++ /home/dwalsh/zimbrauserdata(/.*)?
++.br
++ /home/dwalsh/\.config/chromium(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.java(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.adobe(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gnash(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.galeon(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spicec(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.netscape(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
++.br
+
+.br
+.B mozilla_plugin_tmp_t
@@ -46166,6 +49768,18 @@ index 0000000..8ecc677
+.br
+ /home/[^/]*/\.pulse-cookie
+.br
++ /home/dwalsh/\.pulse(/.*)?
++.br
++ /home/dwalsh/\.esd_auth
++.br
++ /home/dwalsh/\.pulse-cookie
++.br
++ /var/lib/xguest/home/xguest/\.pulse(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.esd_auth
++.br
++ /var/lib/xguest/home/xguest/\.pulse-cookie
++.br
+
+.br
+.B user_fonts_cache_t
@@ -46182,6 +49796,18 @@ index 0000000..8ecc677
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_tmpfs_t
@@ -46191,6 +49817,22 @@ index 0000000..8ecc677
+ /dev/shm/pulse-shm.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -46213,21 +49855,50 @@ index 0000000..8ecc677
+
+.SH "SEE ALSO"
+selinux(8), mozilla_plugin(8), semanage(8), restorecon(8), chcon(1)
-+, setsebool(8), mozilla_selinux(8), mozilla_plugin_config_selinux(8)
++, setsebool(8), mozilla_selinux(8), mozilla_selinux(8), mozilla_plugin_config_selinux(8)
\ No newline at end of file
diff --git a/man/man8/mozilla_selinux.8 b/man/man8/mozilla_selinux.8
new file mode 100644
-index 0000000..118b8d9
+index 0000000..2bb7657
--- /dev/null
+++ b/man/man8/mozilla_selinux.8
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,400 @@
+.TH "mozilla_selinux" "8" "mozilla" "dwalsh at redhat.com" "mozilla SELinux Policy documentation"
+.SH "NAME"
+mozilla_selinux \- Security Enhanced Linux Policy for the mozilla processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mozilla processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mozilla processes via flexible mandatory access control.
++
++The mozilla processes execute with the mozilla_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mozilla_t
++
++
++.SH "ENTRYPOINTS"
++
++The mozilla_t SELinux type can be entered via the "mozilla_exec_t" file type. The default entrypoint paths for the mozilla_t domain are the following:"
++
++/usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/galeon/galeon, /usr/lib/netscape/.+/communicator/communicator-smotif\.real, /usr/bin/netscape, /usr/bin/mozilla-bin-[0-9].*, /usr/bin/epiphany-bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/netscape/base-4/wrapper, /usr/bin/mozilla-snapshot, /usr/lib/[^/]*firefox[^/]*/firefox-bin, /usr/bin/mozilla-[0-9].*, /usr/lib/firefox[^/]*/mozilla-.*, /usr/lib/mozilla[^/]*/mozilla-.*, /usr/bin/mozilla, /usr/bin/epiphany
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mozilla policy is very flexible allowing users to setup their mozilla processes in as secure a method as possible.
++.PP
++The following process types are defined for mozilla:
++
++.EX
++.B mozilla_t, mozilla_plugin_config_t, mozilla_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. mozilla policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla with the tightest access possible.
@@ -46261,22 +49932,6 @@ index 0000000..118b8d9
+.B setsebool -P mozilla_plugin_can_network_connect 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -46383,27 +50038,9 @@ index 0000000..118b8d9
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mozilla policy is very flexible allowing users to setup their mozilla processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mozilla:
-+
-+.EX
-+.B mozilla_t, mozilla_plugin_config_t, mozilla_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mozilla_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mozilla_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B gconf_home_t
@@ -46416,6 +50053,14 @@ index 0000000..118b8d9
+.br
+ /home/[^/]*/\.gconf(d)?(/.*)?
+.br
++ /home/dwalsh/\.local.*
++.br
++ /home/dwalsh/\.gconf(d)?(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local.*
++.br
++ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
++.br
+
+.br
+.B gnome_home_type
@@ -46454,6 +50099,66 @@ index 0000000..118b8d9
+.br
+ /home/[^/]*/\.config/chromium(/.*)?
+.br
++ /home/dwalsh/\.java(/.*)?
++.br
++ /home/dwalsh/\.adobe(/.*)?
++.br
++ /home/dwalsh/\.gnash(/.*)?
++.br
++ /home/dwalsh/\.galeon(/.*)?
++.br
++ /home/dwalsh/\.spicec(/.*)?
++.br
++ /home/dwalsh/\.mozilla(/.*)?
++.br
++ /home/dwalsh/\.phoenix(/.*)?
++.br
++ /home/dwalsh/\.netscape(/.*)?
++.br
++ /home/dwalsh/\.ICAClient(/.*)?
++.br
++ /home/dwalsh/\.macromedia(/.*)?
++.br
++ /home/dwalsh/\.thunderbird(/.*)?
++.br
++ /home/dwalsh/\.gcjwebplugin(/.*)?
++.br
++ /home/dwalsh/\.icedteaplugin(/.*)?
++.br
++ /home/dwalsh/zimbrauserdata(/.*)?
++.br
++ /home/dwalsh/\.config/chromium(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.java(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.adobe(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gnash(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.galeon(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spicec(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mozilla(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.phoenix(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.netscape(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.ICAClient(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.macromedia(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.thunderbird(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/chromium(/.*)?
++.br
+
+.br
+.B mozilla_tmp_t
@@ -46478,6 +50183,18 @@ index 0000000..118b8d9
+.br
+ /home/[^/]*/\.pulse-cookie
+.br
++ /home/dwalsh/\.pulse(/.*)?
++.br
++ /home/dwalsh/\.esd_auth
++.br
++ /home/dwalsh/\.pulse-cookie
++.br
++ /var/lib/xguest/home/xguest/\.pulse(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.esd_auth
++.br
++ /var/lib/xguest/home/xguest/\.pulse-cookie
++.br
+
+.br
+.B user_fonts_cache_t
@@ -46494,6 +50211,34 @@ index 0000000..118b8d9
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -46521,17 +50266,46 @@ index 0000000..118b8d9
\ No newline at end of file
diff --git a/man/man8/mpd_selinux.8 b/man/man8/mpd_selinux.8
new file mode 100644
-index 0000000..98677b7
+index 0000000..8318e91
--- /dev/null
+++ b/man/man8/mpd_selinux.8
-@@ -0,0 +1,252 @@
+@@ -0,0 +1,263 @@
+.TH "mpd_selinux" "8" "mpd" "dwalsh at redhat.com" "mpd SELinux Policy documentation"
+.SH "NAME"
+mpd_selinux \- Security Enhanced Linux Policy for the mpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mpd processes via flexible mandatory access control.
++
++The mpd processes execute with the mpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The mpd_t SELinux type can be entered via the "mpd_exec_t" file type. The default entrypoint paths for the mpd_t domain are the following:"
++
++/usr/bin/mpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible.
++.PP
++The following process types are defined for mpd:
++
++.EX
++.B mpd_t, mplayer_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. mpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mpd with the tightest access possible.
@@ -46572,22 +50346,6 @@ index 0000000..98677b7
+.B setsebool -P daemons_dump_core 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mpd_t, mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the mpd_t, mplayer_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -46697,27 +50455,9 @@ index 0000000..98677b7
+Default Defined Ports:
+tcp 6600
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mpd:
-+
-+.EX
-+.B mpd_t, mplayer_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -46751,6 +50491,22 @@ index 0000000..98677b7
+ /var/lib/mpd(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mpd_t, mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mpd_t, mplayer_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -46780,50 +50536,63 @@ index 0000000..98677b7
\ No newline at end of file
diff --git a/man/man8/mplayer_selinux.8 b/man/man8/mplayer_selinux.8
new file mode 100644
-index 0000000..f6d95b8
+index 0000000..3b66aed
--- /dev/null
+++ b/man/man8/mplayer_selinux.8
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,194 @@
+.TH "mplayer_selinux" "8" "mplayer" "dwalsh at redhat.com" "mplayer SELinux Policy documentation"
+.SH "NAME"
+mplayer_selinux \- Security Enhanced Linux Policy for the mplayer processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mplayer processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mplayer processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mplayer policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mplayer with the tightest access possible.
++The mplayer processes execute with the mplayer_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean.
++.B ps -eZ | grep mplayer_t
+
-+.EX
-+.B setsebool -P mplayer_execstack 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The mplayer_t SELinux type can be entered via the "mplayer_exec_t" file type. The default entrypoint paths for the mplayer_t domain are the following:"
++
++/usr/bin/mplayer, /usr/bin/xine, /usr/bin/vlc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mplayer policy is very flexible allowing users to setup their mplayer processes in as secure a method as possible.
++.PP
++The following process types are defined for mplayer:
+
+.EX
-+.B setsebool -P unconfined_mplayer 1
++.B mplayer_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mplayer policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mplayer with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P mplayer_execstack 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the mplayer_t, you must turn on the kerberos_enabled boolean.
++If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P unconfined_mplayer 1
+.EE
+
+.SH FILE CONTEXTS
@@ -46880,33 +50649,19 @@ index 0000000..f6d95b8
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mplayer policy is very flexible allowing users to setup their mplayer processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mplayer:
-+
-+.EX
-+.B mplayer_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mplayer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mplayer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mplayer_home_t
+
+ /home/[^/]*/\.mplayer(/.*)?
+.br
++ /home/dwalsh/\.mplayer(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mplayer(/.*)?
++.br
+
+.br
+.B mplayer_tmpfs_t
@@ -46927,6 +50682,34 @@ index 0000000..f6d95b8
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mplayer_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -46954,33 +50737,46 @@ index 0000000..f6d95b8
\ No newline at end of file
diff --git a/man/man8/mrtg_selinux.8 b/man/man8/mrtg_selinux.8
new file mode 100644
-index 0000000..9fcd4d4
+index 0000000..5d72e79
--- /dev/null
+++ b/man/man8/mrtg_selinux.8
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,212 @@
+.TH "mrtg_selinux" "8" "mrtg" "dwalsh at redhat.com" "mrtg SELinux Policy documentation"
+.SH "NAME"
+mrtg_selinux \- Security Enhanced Linux Policy for the mrtg processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mrtg processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mrtg processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mrtg processes execute with the mrtg_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mrtg_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep mrtg_t
++
++
++.SH "ENTRYPOINTS"
+
++The mrtg_t SELinux type can be entered via the "mrtg_exec_t" file type. The default entrypoint paths for the mrtg_t domain are the following:"
++
++/usr/bin/mrtg
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the mrtg_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mrtg policy is very flexible allowing users to setup their mrtg processes in as secure a method as possible.
++.PP
++The following process types are defined for mrtg:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B mrtg_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -47052,27 +50848,9 @@ index 0000000..9fcd4d4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mrtg policy is very flexible allowing users to setup their mrtg processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mrtg:
-+
-+.EX
-+.B mrtg_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mrtg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mrtg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_sys_content_t
@@ -47140,6 +50918,22 @@ index 0000000..9fcd4d4
+ /var/run/mrtg\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mrtg_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mrtg_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -47161,50 +50955,63 @@ index 0000000..9fcd4d4
+selinux(8), mrtg(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/mscan_selinux.8 b/man/man8/mscan_selinux.8
new file mode 100644
-index 0000000..112257e
+index 0000000..f6d5283
--- /dev/null
+++ b/man/man8/mscan_selinux.8
-@@ -0,0 +1,181 @@
+@@ -0,0 +1,192 @@
+.TH "mscan_selinux" "8" "mscan" "dwalsh at redhat.com" "mscan SELinux Policy documentation"
+.SH "NAME"
+mscan_selinux \- Security Enhanced Linux Policy for the mscan processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mscan processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mscan processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mscan with the tightest access possible.
++The mscan processes execute with the mscan_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
++.B ps -eZ | grep mscan_t
+
-+.EX
-+.B setsebool -P clamscan_read_user_content 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The mscan_t SELinux type can be entered via the "mscan_exec_t" file type. The default entrypoint paths for the mscan_t domain are the following:"
++
++/usr/sbin/MailScanner
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mscan policy is very flexible allowing users to setup their mscan processes in as secure a method as possible.
++.PP
++The following process types are defined for mscan:
+
+.EX
-+.B setsebool -P clamscan_can_scan_system 1
++.B mscan_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mscan with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mscan_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P clamscan_read_user_content 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the mscan_t, you must turn on the kerberos_enabled boolean.
++If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P clamscan_can_scan_system 1
+.EE
+
+.SH FILE CONTEXTS
@@ -47269,27 +51076,9 @@ index 0000000..112257e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mscan policy is very flexible allowing users to setup their mscan processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mscan:
-+
-+.EX
-+.B mscan_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mscan_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mscan_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B clamd_var_run_t
@@ -47323,6 +51112,22 @@ index 0000000..112257e
+ /var/run/MailScanner\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mscan_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mscan_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -47349,33 +51154,46 @@ index 0000000..112257e
\ No newline at end of file
diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8
new file mode 100644
-index 0000000..e542ab5
+index 0000000..f29c4de
--- /dev/null
+++ b/man/man8/munin_selinux.8
-@@ -0,0 +1,207 @@
+@@ -0,0 +1,224 @@
+.TH "munin_selinux" "8" "munin" "dwalsh at redhat.com" "munin SELinux Policy documentation"
+.SH "NAME"
+munin_selinux \- Security Enhanced Linux Policy for the munin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the munin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the munin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The munin processes execute with the munin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the munin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep munin_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The munin_t SELinux type can be entered via the "munin_exec_t" file type. The default entrypoint paths for the munin_t domain are the following:"
++
++/usr/sbin/munin-.*, /usr/share/munin/munin-.*, /usr/share/munin/plugins/.*, /usr/bin/munin-.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the munin_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible.
++.PP
++The following process types are defined for munin:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B munin_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -47488,27 +51306,9 @@ index 0000000..e542ab5
+.EE
+udp 4949
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for munin:
-+
-+.EX
-+.B munin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type munin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type munin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_munin_content_t
@@ -47523,6 +51323,12 @@ index 0000000..e542ab5
+.br
+
+.br
++.B munin_plugin_state_t
++
++ /var/lib/munin/plugin-state(/.*)?
++.br
++
++.br
+.B munin_tmp_t
+
+
@@ -47538,6 +51344,22 @@ index 0000000..e542ab5
+ /var/run/munin(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the munin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the munin_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -47562,19 +51384,46 @@ index 0000000..e542ab5
+selinux(8), munin(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/mysqld_safe_selinux.8 b/man/man8/mysqld_safe_selinux.8
new file mode 100644
-index 0000000..bb65526
+index 0000000..3346da5
--- /dev/null
+++ b/man/man8/mysqld_safe_selinux.8
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,109 @@
+.TH "mysqld_safe_selinux" "8" "mysqld_safe" "dwalsh at redhat.com" "mysqld_safe SELinux Policy documentation"
+.SH "NAME"
+mysqld_safe_selinux \- Security Enhanced Linux Policy for the mysqld_safe processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mysqld_safe processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mysqld_safe processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mysqld_safe processes execute with the mysqld_safe_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mysqld_safe_t
++
++
++.SH "ENTRYPOINTS"
++
++The mysqld_safe_t SELinux type can be entered via the "mysqld_safe_exec_t" file type. The default entrypoint paths for the mysqld_safe_t domain are the following:"
++
++/usr/bin/mysqld_safe
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mysqld_safe policy is very flexible allowing users to setup their mysqld_safe processes in as secure a method as possible.
++.PP
++The following process types are defined for mysqld_safe:
++
++.EX
++.B mysqld_safe_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -47602,27 +51451,9 @@ index 0000000..bb65526
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mysqld_safe policy is very flexible allowing users to setup their mysqld_safe processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mysqld_safe:
-+
-+.EX
-+.B mysqld_safe_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mysqld_safe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mysqld_safe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mysqld_db_t
@@ -47644,6 +51475,8 @@ index 0000000..bb65526
+ /var/lib/mysql/mysql\.sock
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -47663,54 +51496,67 @@ index 0000000..bb65526
+
+.SH "SEE ALSO"
+selinux(8), mysqld_safe(8), semanage(8), restorecon(8), chcon(1)
-+, mysqld_selinux(8)
++, mysqld_selinux(8), mysqld_selinux(8)
\ No newline at end of file
diff --git a/man/man8/mysqld_selinux.8 b/man/man8/mysqld_selinux.8
new file mode 100644
-index 0000000..aefb125
+index 0000000..f42b27f
--- /dev/null
+++ b/man/man8/mysqld_selinux.8
-@@ -0,0 +1,268 @@
+@@ -0,0 +1,279 @@
+.TH "mysqld_selinux" "8" "mysqld" "dwalsh at redhat.com" "mysqld SELinux Policy documentation"
+.SH "NAME"
+mysqld_selinux \- Security Enhanced Linux Policy for the mysqld processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mysqld processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mysqld processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. mysqld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mysqld with the tightest access possible.
++The mysqld processes execute with the mysqld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow mysqld to connect to all ports, you must turn on the mysql_connect_any boolean.
++.B ps -eZ | grep mysqld_t
+
-+.EX
-+.B setsebool -P mysql_connect_any 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The mysqld_t SELinux type can be entered via the "mysqld_exec_t" file type. The default entrypoint paths for the mysqld_t domain are the following:"
++
++/usr/libexec/mysqld, /usr/bin/mysql_upgrade, /usr/sbin/mysqld(-max)?, /usr/sbin/ndbd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
+.PP
-+If you want to allow users to connect to the local mysql server, you must turn on the user_mysql_connect boolean.
++Policy governs the access confined processes have to files.
++SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible.
++.PP
++The following process types are defined for mysqld:
+
+.EX
-+.B setsebool -P user_mysql_connect 1
++.B mysqld_safe_t, mysqlmanagerd_t, mysqld_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. mysqld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mysqld with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mysqld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow mysqld to connect to all ports, you must turn on the mysql_connect_any boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P mysql_connect_any 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the mysqld_t, you must turn on the kerberos_enabled boolean.
++If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P selinuxuser_mysql_connect_enabled 1
+.EE
+
+.SH FILE CONTEXTS
@@ -47857,27 +51703,9 @@ index 0000000..aefb125
+Default Defined Ports:
+tcp 2273
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mysqld:
-+
-+.EX
-+.B mysqld_safe_t, mysqlmanagerd_t, mysqld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mysqld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mysqld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B hugetlbfs_t
@@ -47913,6 +51741,22 @@ index 0000000..aefb125
+ /var/lib/mysql/mysql\.sock
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mysqld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the mysqld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -47942,19 +51786,46 @@ index 0000000..aefb125
\ No newline at end of file
diff --git a/man/man8/mysqlmanagerd_selinux.8 b/man/man8/mysqlmanagerd_selinux.8
new file mode 100644
-index 0000000..c4cb97f
+index 0000000..ee79494
--- /dev/null
+++ b/man/man8/mysqlmanagerd_selinux.8
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,136 @@
+.TH "mysqlmanagerd_selinux" "8" "mysqlmanagerd" "dwalsh at redhat.com" "mysqlmanagerd SELinux Policy documentation"
+.SH "NAME"
+mysqlmanagerd_selinux \- Security Enhanced Linux Policy for the mysqlmanagerd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the mysqlmanagerd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the mysqlmanagerd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The mysqlmanagerd processes execute with the mysqlmanagerd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep mysqlmanagerd_t
++
++
++.SH "ENTRYPOINTS"
++
++The mysqlmanagerd_t SELinux type can be entered via the "mysqlmanagerd_exec_t" file type. The default entrypoint paths for the mysqlmanagerd_t domain are the following:"
++
++/usr/sbin/mysqlmanager
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible.
++.PP
++The following process types are defined for mysqlmanagerd:
++
++.EX
++.B mysqlmanagerd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -48021,27 +51892,9 @@ index 0000000..c4cb97f
+Default Defined Ports:
+tcp 2273
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for mysqlmanagerd:
-+
-+.EX
-+.B mysqlmanagerd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type mysqlmanagerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type mysqlmanagerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mysqlmanagerd_var_run_t
@@ -48049,6 +51902,8 @@ index 0000000..c4cb97f
+ /var/run/mysqld/mysqlmanager.*
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -48073,19 +51928,46 @@ index 0000000..c4cb97f
+selinux(8), mysqlmanagerd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/nagios_admin_plugin_selinux.8 b/man/man8/nagios_admin_plugin_selinux.8
new file mode 100644
-index 0000000..0c5ebc6
+index 0000000..0c53f7d
--- /dev/null
+++ b/man/man8/nagios_admin_plugin_selinux.8
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,89 @@
+.TH "nagios_admin_plugin_selinux" "8" "nagios_admin_plugin" "dwalsh at redhat.com" "nagios_admin_plugin SELinux Policy documentation"
+.SH "NAME"
+nagios_admin_plugin_selinux \- Security Enhanced Linux Policy for the nagios_admin_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nagios_admin_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nagios_admin_plugin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nagios_admin_plugin processes execute with the nagios_admin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_admin_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_admin_plugin_t SELinux type can be entered via the "nagios_admin_plugin_exec_t" file type. The default entrypoint paths for the nagios_admin_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_file_age
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_admin_plugin policy is very flexible allowing users to setup their nagios_admin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_admin_plugin:
++
++.EX
++.B nagios_admin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -48113,27 +51995,11 @@ index 0000000..0c5ebc6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_admin_plugin policy is very flexible allowing users to setup their nagios_admin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_admin_plugin:
-+
-+.EX
-+.B nagios_admin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nagios_admin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nagios_admin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -48154,23 +52020,50 @@ index 0000000..0c5ebc6
+
+.SH "SEE ALSO"
+selinux(8), nagios_admin_plugin(8), semanage(8), restorecon(8), chcon(1)
-+, nagios_selinux(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
\ No newline at end of file
diff --git a/man/man8/nagios_checkdisk_plugin_selinux.8 b/man/man8/nagios_checkdisk_plugin_selinux.8
new file mode 100644
-index 0000000..27a6d67
+index 0000000..21fd651
--- /dev/null
+++ b/man/man8/nagios_checkdisk_plugin_selinux.8
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,93 @@
+.TH "nagios_checkdisk_plugin_selinux" "8" "nagios_checkdisk_plugin" "dwalsh at redhat.com" "nagios_checkdisk_plugin SELinux Policy documentation"
+.SH "NAME"
+nagios_checkdisk_plugin_selinux \- Security Enhanced Linux Policy for the nagios_checkdisk_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nagios_checkdisk_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nagios_checkdisk_plugin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nagios_checkdisk_plugin processes execute with the nagios_checkdisk_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_checkdisk_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_checkdisk_plugin_t SELinux type can be entered via the "nagios_checkdisk_plugin_exec_t" file type. The default entrypoint paths for the nagios_checkdisk_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_linux_raid, /usr/lib/nagios/plugins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart, /usr/lib/nagios/plugins/check_disk
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_checkdisk_plugin policy is very flexible allowing users to setup their nagios_checkdisk_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_checkdisk_plugin:
++
++.EX
++.B nagios_checkdisk_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -48202,27 +52095,11 @@ index 0000000..27a6d67
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_checkdisk_plugin policy is very flexible allowing users to setup their nagios_checkdisk_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_checkdisk_plugin:
-+
-+.EX
-+.B nagios_checkdisk_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nagios_checkdisk_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nagios_checkdisk_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -48243,23 +52120,50 @@ index 0000000..27a6d67
+
+.SH "SEE ALSO"
+selinux(8), nagios_checkdisk_plugin(8), semanage(8), restorecon(8), chcon(1)
-+, nagios_selinux(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
\ No newline at end of file
diff --git a/man/man8/nagios_eventhandler_plugin_selinux.8 b/man/man8/nagios_eventhandler_plugin_selinux.8
new file mode 100644
-index 0000000..b5cd0c2
+index 0000000..12b6701
--- /dev/null
+++ b/man/man8/nagios_eventhandler_plugin_selinux.8
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,109 @@
+.TH "nagios_eventhandler_plugin_selinux" "8" "nagios_eventhandler_plugin" "dwalsh at redhat.com" "nagios_eventhandler_plugin SELinux Policy documentation"
+.SH "NAME"
+nagios_eventhandler_plugin_selinux \- Security Enhanced Linux Policy for the nagios_eventhandler_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nagios_eventhandler_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nagios_eventhandler_plugin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nagios_eventhandler_plugin processes execute with the nagios_eventhandler_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_eventhandler_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_eventhandler_plugin_t SELinux type can be entered via the "nagios_eventhandler_plugin_exec_t" file type. The default entrypoint paths for the nagios_eventhandler_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/eventhandlers(/.*)
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_eventhandler_plugin policy is very flexible allowing users to setup their nagios_eventhandler_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_eventhandler_plugin:
++
++.EX
++.B nagios_eventhandler_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -48295,27 +52199,9 @@ index 0000000..b5cd0c2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_eventhandler_plugin policy is very flexible allowing users to setup their nagios_eventhandler_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_eventhandler_plugin:
-+
-+.EX
-+.B nagios_eventhandler_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nagios_eventhandler_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nagios_eventhandler_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nagios_eventhandler_plugin_tmp_t
@@ -48329,6 +52215,8 @@ index 0000000..b5cd0c2
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -48348,23 +52236,50 @@ index 0000000..b5cd0c2
+
+.SH "SEE ALSO"
+selinux(8), nagios_eventhandler_plugin(8), semanage(8), restorecon(8), chcon(1)
-+, nagios_selinux(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
\ No newline at end of file
diff --git a/man/man8/nagios_mail_plugin_selinux.8 b/man/man8/nagios_mail_plugin_selinux.8
new file mode 100644
-index 0000000..6d9ae28
+index 0000000..2b34de1
--- /dev/null
+++ b/man/man8/nagios_mail_plugin_selinux.8
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,89 @@
+.TH "nagios_mail_plugin_selinux" "8" "nagios_mail_plugin" "dwalsh at redhat.com" "nagios_mail_plugin SELinux Policy documentation"
+.SH "NAME"
+nagios_mail_plugin_selinux \- Security Enhanced Linux Policy for the nagios_mail_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nagios_mail_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nagios_mail_plugin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nagios_mail_plugin processes execute with the nagios_mail_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_mail_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_mail_plugin_t SELinux type can be entered via the "nagios_mail_plugin_exec_t" file type. The default entrypoint paths for the nagios_mail_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_mailq
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_mail_plugin policy is very flexible allowing users to setup their nagios_mail_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_mail_plugin:
++
++.EX
++.B nagios_mail_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -48392,27 +52307,11 @@ index 0000000..6d9ae28
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_mail_plugin policy is very flexible allowing users to setup their nagios_mail_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_mail_plugin:
-+
-+.EX
-+.B nagios_mail_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nagios_mail_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nagios_mail_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -48433,37 +52332,50 @@ index 0000000..6d9ae28
+
+.SH "SEE ALSO"
+selinux(8), nagios_mail_plugin(8), semanage(8), restorecon(8), chcon(1)
-+, nagios_selinux(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
\ No newline at end of file
diff --git a/man/man8/nagios_selinux.8 b/man/man8/nagios_selinux.8
new file mode 100644
-index 0000000..65258c7
+index 0000000..a236021
--- /dev/null
+++ b/man/man8/nagios_selinux.8
-@@ -0,0 +1,264 @@
+@@ -0,0 +1,275 @@
+.TH "nagios_selinux" "8" "nagios" "dwalsh at redhat.com" "nagios SELinux Policy documentation"
+.SH "NAME"
+nagios_selinux \- Security Enhanced Linux Policy for the nagios processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nagios processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nagios processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nagios processes execute with the nagios_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nagios_services_plugin_t, nagios_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep nagios_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The nagios_t SELinux type can be entered via the "nagios_exec_t" file type. The default entrypoint paths for the nagios_t domain are the following:"
++
++/usr/s?bin/nagios
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, nagios_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios policy is very flexible allowing users to setup their nagios processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B nagios_t, nagios_mail_plugin_t, nagios_checkdisk_plugin_t, nagios_services_plugin_t, nagios_eventhandler_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_admin_plugin_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -48639,27 +52551,9 @@ index 0000000..65258c7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios policy is very flexible allowing users to setup their nagios processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios:
-+
-+.EX
-+.B nagios_t, nagios_mail_plugin_t, nagios_checkdisk_plugin_t, nagios_services_plugin_t, nagios_eventhandler_plugin_t, nagios_system_plugin_t, nagios_unconfined_plugin_t, nagios_admin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nagios_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nagios_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nagios_log_t
@@ -48685,6 +52579,22 @@ index 0000000..65258c7
+ /var/run/nagios.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nagios_services_plugin_t, nagios_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, nagios_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -48708,33 +52618,46 @@ index 0000000..65258c7
\ No newline at end of file
diff --git a/man/man8/nagios_services_plugin_selinux.8 b/man/man8/nagios_services_plugin_selinux.8
new file mode 100644
-index 0000000..544779b
+index 0000000..0a6760e
--- /dev/null
+++ b/man/man8/nagios_services_plugin_selinux.8
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,107 @@
+.TH "nagios_services_plugin_selinux" "8" "nagios_services_plugin" "dwalsh at redhat.com" "nagios_services_plugin SELinux Policy documentation"
+.SH "NAME"
+nagios_services_plugin_selinux \- Security Enhanced Linux Policy for the nagios_services_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nagios_services_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nagios_services_plugin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nagios_services_plugin processes execute with the nagios_services_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nagios_services_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep nagios_services_plugin_t
++
++
++.SH "ENTRYPOINTS"
+
++The nagios_services_plugin_t SELinux type can be entered via the "nagios_services_plugin_exec_t" file type. The default entrypoint paths for the nagios_services_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_dns, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_mysql_query, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_mysql, /usr/
lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_fping
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_services_plugin policy is very flexible allowing users to setup their nagios_services_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_services_plugin:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B nagios_services_plugin_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -48766,27 +52689,25 @@ index 0000000..544779b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type nagios_services_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_services_plugin policy is very flexible allowing users to setup their nagios_services_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_services_plugin:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nagios_services_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B nagios_services_plugin_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type nagios_services_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -48807,23 +52728,50 @@ index 0000000..544779b
+
+.SH "SEE ALSO"
+selinux(8), nagios_services_plugin(8), semanage(8), restorecon(8), chcon(1)
-+, nagios_selinux(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
\ No newline at end of file
diff --git a/man/man8/nagios_system_plugin_selinux.8 b/man/man8/nagios_system_plugin_selinux.8
new file mode 100644
-index 0000000..ff562e3
+index 0000000..b69a301
--- /dev/null
+++ b/man/man8/nagios_system_plugin_selinux.8
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,105 @@
+.TH "nagios_system_plugin_selinux" "8" "nagios_system_plugin" "dwalsh at redhat.com" "nagios_system_plugin SELinux Policy documentation"
+.SH "NAME"
+nagios_system_plugin_selinux \- Security Enhanced Linux Policy for the nagios_system_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nagios_system_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nagios_system_plugin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nagios_system_plugin processes execute with the nagios_system_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_system_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_system_plugin_t SELinux type can be entered via the "nagios_system_plugin_exec_t" file type. The default entrypoint paths for the nagios_system_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_log, /usr/lib/nagios/plugins/check_load, /usr/lib/nagios/plugins/check_nwstat, /usr/lib/nagios/plugins/check_nagios, /usr/lib/nagios/plugins/check_flexlm, /usr/lib/nagios/plugins/check_swap, /usr/lib/nagios/plugins/check_users, /usr/lib/nagios/plugins/check_ifstatus, /usr/lib/nagios/plugins/check_ifoperstatus, /usr/lib/nagios/plugins/check_wave, /usr/lib/nagios/plugins/check_mrtgtraf, /usr/lib/nagios/plugins/check_procs, /usr/lib/nagios/plugins/check_sensors, /usr/lib/nagios/plugins/check_mrtg, /usr/lib/nagios/plugins/check_overcr
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_system_plugin policy is very flexible allowing users to setup their nagios_system_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_system_plugin:
++
++.EX
++.B nagios_system_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -48863,32 +52811,16 @@ index 0000000..ff562e3
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_system_plugin policy is very flexible allowing users to setup their nagios_system_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_system_plugin:
-+
-+.EX
-+.B nagios_system_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nagios_system_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nagios_system_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nagios_system_plugin_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -48908,23 +52840,50 @@ index 0000000..ff562e3
+
+.SH "SEE ALSO"
+selinux(8), nagios_system_plugin(8), semanage(8), restorecon(8), chcon(1)
-+, nagios_selinux(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_unconfined_plugin_selinux(8)
\ No newline at end of file
diff --git a/man/man8/nagios_unconfined_plugin_selinux.8 b/man/man8/nagios_unconfined_plugin_selinux.8
new file mode 100644
-index 0000000..a87b21c
+index 0000000..ee1da91
--- /dev/null
+++ b/man/man8/nagios_unconfined_plugin_selinux.8
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,89 @@
+.TH "nagios_unconfined_plugin_selinux" "8" "nagios_unconfined_plugin" "dwalsh at redhat.com" "nagios_unconfined_plugin SELinux Policy documentation"
+.SH "NAME"
+nagios_unconfined_plugin_selinux \- Security Enhanced Linux Policy for the nagios_unconfined_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nagios_unconfined_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nagios_unconfined_plugin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nagios_unconfined_plugin processes execute with the nagios_unconfined_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nagios_unconfined_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The nagios_unconfined_plugin_t SELinux type can be entered via the "nagios_unconfined_plugin_exec_t" file type. The default entrypoint paths for the nagios_unconfined_plugin_t domain are the following:"
++
++/usr/lib/nagios/plugins/check_by_ssh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nagios_unconfined_plugin policy is very flexible allowing users to setup their nagios_unconfined_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for nagios_unconfined_plugin:
++
++.EX
++.B nagios_unconfined_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -48952,27 +52911,11 @@ index 0000000..a87b21c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nagios_unconfined_plugin policy is very flexible allowing users to setup their nagios_unconfined_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nagios_unconfined_plugin:
-+
-+.EX
-+.B nagios_unconfined_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nagios_unconfined_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nagios_unconfined_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -48993,13 +52936,13 @@ index 0000000..a87b21c
+
+.SH "SEE ALSO"
+selinux(8), nagios_unconfined_plugin(8), semanage(8), restorecon(8), chcon(1)
-+, nagios_selinux(8)
++, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8)
\ No newline at end of file
diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
-index fce0b48..653194b 100644
+index fce0b48..08398a7 100644
--- a/man/man8/named_selinux.8
+++ b/man/man8/named_selinux.8
-@@ -1,30 +1,269 @@
+@@ -1,30 +1,280 @@
-.TH "named_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "named Selinux Policy documentation"
-.de EX
-.nf
@@ -49016,8 +52959,38 @@ index fce0b48..653194b 100644
.SH "DESCRIPTION"
-Security-Enhanced Linux secures the named server via flexible mandatory access
-+Security-Enhanced Linux secures the named processes via flexible mandatory access
- control.
+-control.
++Security-Enhanced Linux secures the named processes via flexible mandatory access control.
++
++The named processes execute with the named_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep named_t
++
++
++.SH "ENTRYPOINTS"
++
++The named_t SELinux type can be entered via the "named_checkconf_exec_t,named_exec_t" file types. The default entrypoint paths for the named_t domain are the following:"
++
++/usr/sbin/named-checkconf, /usr/sbin/lwresd, /usr/sbin/named, /usr/sbin/unbound
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux named policy is very flexible allowing users to setup their named processes in as secure a method as possible.
++.PP
++The following process types are defined for named:
++
++.EX
++.B named_t, namespace_init_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
.SH BOOLEANS
-SELinux policy is customizable based on least access required. So by
@@ -49045,22 +53018,6 @@ index fce0b48..653194b 100644
+.B setsebool -P named_bind_http_port 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, named_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the namespace_init_t, named_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -49132,10 +53089,10 @@ index fce0b48..653194b 100644
+.PP
+.B named_keytab_t
+.EE
-
++
+- Set files with the named_keytab_t type, if you want to treat the files as kerberos keytab files.
-+
+
+.EX
+.PP
+.B named_log_t
@@ -49199,27 +53156,9 @@ index fce0b48..653194b 100644
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux named policy is very flexible allowing users to setup their named processes in as secure a method as possible.
-+.PP
-+The following process types are defined for named:
-+
-+.EX
-+.B named_t, namespace_init_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type named_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type named_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B named_cache_t
@@ -49265,6 +53204,22 @@ index fce0b48..653194b 100644
+ /var/run/ndc
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, named_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the namespace_init_t, named_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -49291,33 +53246,46 @@ index fce0b48..653194b 100644
\ No newline at end of file
diff --git a/man/man8/namespace_init_selinux.8 b/man/man8/namespace_init_selinux.8
new file mode 100644
-index 0000000..3310d59
+index 0000000..db6ac93
--- /dev/null
+++ b/man/man8/namespace_init_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,118 @@
+.TH "namespace_init_selinux" "8" "namespace_init" "dwalsh at redhat.com" "namespace_init SELinux Policy documentation"
+.SH "NAME"
+namespace_init_selinux \- Security Enhanced Linux Policy for the namespace_init processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the namespace_init processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the namespace_init processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The namespace_init processes execute with the namespace_init_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep namespace_init_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The namespace_init_t SELinux type can be entered via the "namespace_init_exec_t" file type. The default entrypoint paths for the namespace_init_t domain are the following:"
++
++/etc/security/namespace.init
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the namespace_init_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux namespace_init policy is very flexible allowing users to setup their namespace_init processes in as secure a method as possible.
++.PP
++The following process types are defined for namespace_init:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B namespace_init_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -49345,27 +53313,9 @@ index 0000000..3310d59
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux namespace_init policy is very flexible allowing users to setup their namespace_init processes in as secure a method as possible.
-+.PP
-+The following process types are defined for namespace_init:
-+
-+.EX
-+.B namespace_init_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type namespace_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type namespace_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B security_t
@@ -49378,6 +53328,26 @@ index 0000000..3310d59
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the namespace_init_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -49400,19 +53370,46 @@ index 0000000..3310d59
+selinux(8), namespace_init(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ncftool_selinux.8 b/man/man8/ncftool_selinux.8
new file mode 100644
-index 0000000..303dfb7
+index 0000000..c060e2c
--- /dev/null
+++ b/man/man8/ncftool_selinux.8
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,136 @@
+.TH "ncftool_selinux" "8" "ncftool" "dwalsh at redhat.com" "ncftool SELinux Policy documentation"
+.SH "NAME"
+ncftool_selinux \- Security Enhanced Linux Policy for the ncftool processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ncftool processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ncftool processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ncftool processes execute with the ncftool_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ncftool_t
++
++
++.SH "ENTRYPOINTS"
++
++The ncftool_t SELinux type can be entered via the "ncftool_exec_t" file type. The default entrypoint paths for the ncftool_t domain are the following:"
++
++/usr/bin/ncftool
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ncftool policy is very flexible allowing users to setup their ncftool processes in as secure a method as possible.
++.PP
++The following process types are defined for ncftool:
++
++.EX
++.B ncftool_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -49440,27 +53437,9 @@ index 0000000..303dfb7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ncftool policy is very flexible allowing users to setup their ncftool processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ncftool:
-+
-+.EX
-+.B ncftool_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ncftool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ncftool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B net_conf_t
@@ -49510,6 +53489,8 @@ index 0000000..303dfb7
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -49531,33 +53512,46 @@ index 0000000..303dfb7
+selinux(8), ncftool(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ndc_selinux.8 b/man/man8/ndc_selinux.8
new file mode 100644
-index 0000000..620f09c
+index 0000000..e5eb770
--- /dev/null
+++ b/man/man8/ndc_selinux.8
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,102 @@
+.TH "ndc_selinux" "8" "ndc" "dwalsh at redhat.com" "ndc SELinux Policy documentation"
+.SH "NAME"
+ndc_selinux \- Security Enhanced Linux Policy for the ndc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ndc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ndc processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ndc processes execute with the ndc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ndc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep ndc_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The ndc_t SELinux type can be entered via the "ndc_exec_t" file type. The default entrypoint paths for the ndc_t domain are the following:"
++
++/usr/sbin/r?ndc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ndc_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ndc policy is very flexible allowing users to setup their ndc processes in as secure a method as possible.
++.PP
++The following process types are defined for ndc:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ndc_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -49585,27 +53579,25 @@ index 0000000..620f09c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type ndc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ndc policy is very flexible allowing users to setup their ndc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ndc:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ndc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B ndc_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the ndc_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type ndc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -49628,19 +53620,46 @@ index 0000000..620f09c
+selinux(8), ndc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/netlabel_mgmt_selinux.8 b/man/man8/netlabel_mgmt_selinux.8
new file mode 100644
-index 0000000..cc33498
+index 0000000..3bfa93e
--- /dev/null
+++ b/man/man8/netlabel_mgmt_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,92 @@
+.TH "netlabel_mgmt_selinux" "8" "netlabel_mgmt" "dwalsh at redhat.com" "netlabel_mgmt SELinux Policy documentation"
+.SH "NAME"
+netlabel_mgmt_selinux \- Security Enhanced Linux Policy for the netlabel_mgmt processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the netlabel_mgmt processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the netlabel_mgmt processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The netlabel_mgmt processes execute with the netlabel_mgmt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep netlabel_mgmt_t
++
++
++.SH "ENTRYPOINTS"
++
++The netlabel_mgmt_t SELinux type can be entered via the "netlabel_mgmt_exec_t" file type. The default entrypoint paths for the netlabel_mgmt_t domain are the following:"
++
++/sbin/netlabelctl, /usr/sbin/netlabelctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux netlabel_mgmt policy is very flexible allowing users to setup their netlabel_mgmt processes in as secure a method as possible.
++.PP
++The following process types are defined for netlabel_mgmt:
++
++.EX
++.B netlabel_mgmt_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -49672,27 +53691,11 @@ index 0000000..cc33498
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux netlabel_mgmt policy is very flexible allowing users to setup their netlabel_mgmt processes in as secure a method as possible.
-+.PP
-+The following process types are defined for netlabel_mgmt:
-+
-+.EX
-+.B netlabel_mgmt_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type netlabel_mgmt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type netlabel_mgmt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -49715,19 +53718,46 @@ index 0000000..cc33498
+selinux(8), netlabel_mgmt(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/netlogond_selinux.8 b/man/man8/netlogond_selinux.8
new file mode 100644
-index 0000000..c2de904
+index 0000000..f85063c
--- /dev/null
+++ b/man/man8/netlogond_selinux.8
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,136 @@
+.TH "netlogond_selinux" "8" "netlogond" "dwalsh at redhat.com" "netlogond SELinux Policy documentation"
+.SH "NAME"
+netlogond_selinux \- Security Enhanced Linux Policy for the netlogond processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the netlogond processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the netlogond processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The netlogond processes execute with the netlogond_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep netlogond_t
++
++
++.SH "ENTRYPOINTS"
++
++The netlogond_t SELinux type can be entered via the "netlogond_exec_t" file type. The default entrypoint paths for the netlogond_t domain are the following:"
++
++/usr/sbin/netlogond
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux netlogond policy is very flexible allowing users to setup their netlogond processes in as secure a method as possible.
++.PP
++The following process types are defined for netlogond:
++
++.EX
++.B netlogond_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -49783,27 +53813,9 @@ index 0000000..c2de904
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux netlogond policy is very flexible allowing users to setup their netlogond processes in as secure a method as possible.
-+.PP
-+The following process types are defined for netlogond:
-+
-+.EX
-+.B netlogond_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type netlogond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type netlogond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B likewise_etc_t
@@ -49825,6 +53837,8 @@ index 0000000..c2de904
+ /var/run/netlogond.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -49846,33 +53860,46 @@ index 0000000..c2de904
+selinux(8), netlogond(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/netutils_selinux.8 b/man/man8/netutils_selinux.8
new file mode 100644
-index 0000000..4bc6f16
+index 0000000..039109f
--- /dev/null
+++ b/man/man8/netutils_selinux.8
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,118 @@
+.TH "netutils_selinux" "8" "netutils" "dwalsh at redhat.com" "netutils SELinux Policy documentation"
+.SH "NAME"
+netutils_selinux \- Security Enhanced Linux Policy for the netutils processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the netutils processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the netutils processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The netutils processes execute with the netutils_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the netutils_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep netutils_t
++
++
++.SH "ENTRYPOINTS"
+
++The netutils_t SELinux type can be entered via the "netutils_exec_t" file type. The default entrypoint paths for the netutils_t domain are the following:"
++
++/sbin/arping, /usr/sbin/arping, /usr/sbin/tcpdump
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the netutils_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux netutils policy is very flexible allowing users to setup their netutils processes in as secure a method as possible.
++.PP
++The following process types are defined for netutils:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B netutils_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -49912,32 +53939,30 @@ index 0000000..4bc6f16
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux netutils policy is very flexible allowing users to setup their netutils processes in as secure a method as possible.
-+.PP
-+The following process types are defined for netutils:
-+
-+.EX
-+.B netutils_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type netutils_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type netutils_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B netutils_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the netutils_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the netutils_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -49959,33 +53984,46 @@ index 0000000..4bc6f16
+selinux(8), netutils(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/newrole_selinux.8 b/man/man8/newrole_selinux.8
new file mode 100644
-index 0000000..cef1275
+index 0000000..804d237
--- /dev/null
+++ b/man/man8/newrole_selinux.8
-@@ -0,0 +1,163 @@
+@@ -0,0 +1,174 @@
+.TH "newrole_selinux" "8" "newrole" "dwalsh at redhat.com" "newrole SELinux Policy documentation"
+.SH "NAME"
+newrole_selinux \- Security Enhanced Linux Policy for the newrole processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the newrole processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the newrole processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The newrole processes execute with the newrole_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the newrole_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep newrole_t
++
++
++.SH "ENTRYPOINTS"
+
++The newrole_t SELinux type can be entered via the "newrole_exec_t" file type. The default entrypoint paths for the newrole_t domain are the following:"
++
++/usr/bin/newrole
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the newrole_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux newrole policy is very flexible allowing users to setup their newrole processes in as secure a method as possible.
++.PP
++The following process types are defined for newrole:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B newrole_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -50013,27 +54051,9 @@ index 0000000..cef1275
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux newrole policy is very flexible allowing users to setup their newrole processes in as secure a method as possible.
-+.PP
-+The following process types are defined for newrole:
-+
-+.EX
-+.B newrole_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type newrole_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type newrole_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -50107,6 +54127,22 @@ index 0000000..cef1275
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the newrole_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the newrole_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -50165,17 +54201,46 @@ index 8e30c4c..0000000
-selinux(8), chcon(1), setsebool(8)
diff --git a/man/man8/nfsd_selinux.8 b/man/man8/nfsd_selinux.8
new file mode 100644
-index 0000000..5f84f1c
+index 0000000..e7206ec
--- /dev/null
+++ b/man/man8/nfsd_selinux.8
-@@ -0,0 +1,326 @@
+@@ -0,0 +1,337 @@
+.TH "nfsd_selinux" "8" "nfsd" "dwalsh at redhat.com" "nfsd SELinux Policy documentation"
+.SH "NAME"
+nfsd_selinux \- Security Enhanced Linux Policy for the nfsd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nfsd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nfsd processes via flexible mandatory access control.
++
++The nfsd processes execute with the nfsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nfsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The nfsd_t SELinux type can be entered via the "nfsd_exec_t" file type. The default entrypoint paths for the nfsd_t domain are the following:"
++
++/usr/sbin/rpc\.mountd, /usr/sbin/rpc\.nfsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible.
++.PP
++The following process types are defined for nfsd:
++
++.EX
++.B nfsd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. nfsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nfsd with the tightest access possible.
@@ -50300,22 +54365,6 @@ index 0000000..5f84f1c
+.B setsebool -P nfs_export_all_ro 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nfsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the nfsd_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
+.TP
@@ -50429,27 +54478,9 @@ index 0000000..5f84f1c
+.EE
+udp 2049,20048-20049
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nfsd:
-+
-+.EX
-+.B nfsd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nfsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nfsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nfsd_fs_t
@@ -50469,6 +54500,22 @@ index 0000000..5f84f1c
+ /var/lib(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nfsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nfsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -50505,33 +54552,46 @@ index 6271c95..0000000
-.so man8/ypbind_selinux.8
diff --git a/man/man8/nmbd_selinux.8 b/man/man8/nmbd_selinux.8
new file mode 100644
-index 0000000..d7a3320
+index 0000000..b7322db
--- /dev/null
+++ b/man/man8/nmbd_selinux.8
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,172 @@
+.TH "nmbd_selinux" "8" "nmbd" "dwalsh at redhat.com" "nmbd SELinux Policy documentation"
+.SH "NAME"
+nmbd_selinux \- Security Enhanced Linux Policy for the nmbd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nmbd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nmbd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nmbd processes execute with the nmbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nmbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep nmbd_t
+
++
++.SH "ENTRYPOINTS"
++
++The nmbd_t SELinux type can be entered via the "nmbd_exec_t" file type. The default entrypoint paths for the nmbd_t domain are the following:"
++
++/usr/sbin/nmbd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the nmbd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible.
++.PP
++The following process types are defined for nmbd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B nmbd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -50594,27 +54654,9 @@ index 0000000..d7a3320
+Default Defined Ports:
+udp 137,138
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nmbd:
-+
-+.EX
-+.B nmbd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nmbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nmbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nmbd_var_run_t
@@ -50648,6 +54690,22 @@ index 0000000..d7a3320
+ /var/spool/samba(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nmbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nmbd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -50672,19 +54730,46 @@ index 0000000..d7a3320
+selinux(8), nmbd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/nova_ajax_selinux.8 b/man/man8/nova_ajax_selinux.8
new file mode 100644
-index 0000000..9544e58
+index 0000000..4f8600d
--- /dev/null
+++ b/man/man8/nova_ajax_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,127 @@
+.TH "nova_ajax_selinux" "8" "nova_ajax" "dwalsh at redhat.com" "nova_ajax SELinux Policy documentation"
+.SH "NAME"
+nova_ajax_selinux \- Security Enhanced Linux Policy for the nova_ajax processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nova_ajax processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nova_ajax processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nova_ajax processes execute with the nova_ajax_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_ajax_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_ajax_t SELinux type can be entered via the "nova_ajax_exec_t" file type. The default entrypoint paths for the nova_ajax_t domain are the following:"
++
++/usr/bin/nova-ajax-console-proxy
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_ajax policy is very flexible allowing users to setup their nova_ajax processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_ajax:
++
++.EX
++.B nova_ajax_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -50728,27 +54813,9 @@ index 0000000..9544e58
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_ajax policy is very flexible allowing users to setup their nova_ajax processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_ajax:
-+
-+.EX
-+.B nova_ajax_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nova_ajax_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nova_ajax_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nova_ajax_tmp_t
@@ -50772,6 +54839,8 @@ index 0000000..9544e58
+ /var/run/nova(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -50791,21 +54860,50 @@ index 0000000..9544e58
+
+.SH "SEE ALSO"
+selinux(8), nova_ajax(8), semanage(8), restorecon(8), chcon(1)
++, nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nova_api_selinux.8 b/man/man8/nova_api_selinux.8
new file mode 100644
-index 0000000..7a9aeef
+index 0000000..0ac13a0
--- /dev/null
+++ b/man/man8/nova_api_selinux.8
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,135 @@
+.TH "nova_api_selinux" "8" "nova_api" "dwalsh at redhat.com" "nova_api SELinux Policy documentation"
+.SH "NAME"
+nova_api_selinux \- Security Enhanced Linux Policy for the nova_api processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nova_api processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nova_api processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nova_api processes execute with the nova_api_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_api_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_api_t SELinux type can be entered via the "nova_api_exec_t" file type. The default entrypoint paths for the nova_api_t domain are the following:"
++
++/usr/bin/nova-api, /usr//bin/nova-api-metadata
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_api policy is very flexible allowing users to setup their nova_api processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_api:
++
++.EX
++.B nova_api_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -50857,27 +54955,9 @@ index 0000000..7a9aeef
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_api policy is very flexible allowing users to setup their nova_api processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_api:
-+
-+.EX
-+.B nova_api_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nova_api_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nova_api_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nova_api_tmp_t
@@ -50901,6 +54981,8 @@ index 0000000..7a9aeef
+ /var/run/nova(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -50920,35 +55002,50 @@ index 0000000..7a9aeef
+
+.SH "SEE ALSO"
+selinux(8), nova_api(8), semanage(8), restorecon(8), chcon(1)
++, nova_ajax_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nova_cert_selinux.8 b/man/man8/nova_cert_selinux.8
new file mode 100644
-index 0000000..61864b7
+index 0000000..0d44163
--- /dev/null
+++ b/man/man8/nova_cert_selinux.8
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,141 @@
+.TH "nova_cert_selinux" "8" "nova_cert" "dwalsh at redhat.com" "nova_cert SELinux Policy documentation"
+.SH "NAME"
+nova_cert_selinux \- Security Enhanced Linux Policy for the nova_cert processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nova_cert processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nova_cert processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nova_cert processes execute with the nova_cert_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nova_cert_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep nova_cert_t
++
++
++.SH "ENTRYPOINTS"
+
++The nova_cert_t SELinux type can be entered via the "nova_cert_exec_t" file type. The default entrypoint paths for the nova_cert_t domain are the following:"
++
++/usr/bin/nova-cert
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the nova_cert_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_cert policy is very flexible allowing users to setup their nova_cert processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_cert:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B nova_cert_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -50992,27 +55089,9 @@ index 0000000..61864b7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_cert policy is very flexible allowing users to setup their nova_cert processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_cert:
-+
-+.EX
-+.B nova_cert_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nova_cert_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nova_cert_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nova_cert_tmp_t
@@ -51036,6 +55115,22 @@ index 0000000..61864b7
+ /var/run/nova(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nova_cert_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nova_cert_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -51055,21 +55150,50 @@ index 0000000..61864b7
+
+.SH "SEE ALSO"
+selinux(8), nova_cert(8), semanage(8), restorecon(8), chcon(1)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nova_compute_selinux.8 b/man/man8/nova_compute_selinux.8
new file mode 100644
-index 0000000..8149b81
+index 0000000..0740566
--- /dev/null
+++ b/man/man8/nova_compute_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,127 @@
+.TH "nova_compute_selinux" "8" "nova_compute" "dwalsh at redhat.com" "nova_compute SELinux Policy documentation"
+.SH "NAME"
+nova_compute_selinux \- Security Enhanced Linux Policy for the nova_compute processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nova_compute processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nova_compute processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nova_compute processes execute with the nova_compute_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_compute_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_compute_t SELinux type can be entered via the "nova_compute_exec_t" file type. The default entrypoint paths for the nova_compute_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_compute policy is very flexible allowing users to setup their nova_compute processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_compute:
++
++.EX
++.B nova_compute_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -51113,27 +55237,9 @@ index 0000000..8149b81
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_compute policy is very flexible allowing users to setup their nova_compute processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_compute:
-+
-+.EX
-+.B nova_compute_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nova_compute_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nova_compute_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nova_compute_tmp_t
@@ -51157,6 +55263,8 @@ index 0000000..8149b81
+ /var/run/nova(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -51176,35 +55284,50 @@ index 0000000..8149b81
+
+.SH "SEE ALSO"
+selinux(8), nova_compute(8), semanage(8), restorecon(8), chcon(1)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nova_console_selinux.8 b/man/man8/nova_console_selinux.8
new file mode 100644
-index 0000000..2a9c3e7
+index 0000000..163d41d
--- /dev/null
+++ b/man/man8/nova_console_selinux.8
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,141 @@
+.TH "nova_console_selinux" "8" "nova_console" "dwalsh at redhat.com" "nova_console SELinux Policy documentation"
+.SH "NAME"
+nova_console_selinux \- Security Enhanced Linux Policy for the nova_console processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nova_console processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nova_console processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nova_console processes execute with the nova_console_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nova_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep nova_console_t
++
++
++.SH "ENTRYPOINTS"
+
++The nova_console_t SELinux type can be entered via the "nova_console_exec_t" file type. The default entrypoint paths for the nova_console_t domain are the following:"
++
++/usr/bin/nova-console.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the nova_console_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_console policy is very flexible allowing users to setup their nova_console processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_console:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B nova_console_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -51248,27 +55371,9 @@ index 0000000..2a9c3e7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_console policy is very flexible allowing users to setup their nova_console processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_console:
-+
-+.EX
-+.B nova_console_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nova_console_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nova_console_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nova_console_tmp_t
@@ -51292,6 +55397,22 @@ index 0000000..2a9c3e7
+ /var/run/nova(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nova_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nova_console_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -51311,21 +55432,50 @@ index 0000000..2a9c3e7
+
+.SH "SEE ALSO"
+selinux(8), nova_console(8), semanage(8), restorecon(8), chcon(1)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nova_direct_selinux.8 b/man/man8/nova_direct_selinux.8
new file mode 100644
-index 0000000..1198be5
+index 0000000..a890cdb
--- /dev/null
+++ b/man/man8/nova_direct_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,127 @@
+.TH "nova_direct_selinux" "8" "nova_direct" "dwalsh at redhat.com" "nova_direct SELinux Policy documentation"
+.SH "NAME"
+nova_direct_selinux \- Security Enhanced Linux Policy for the nova_direct processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nova_direct processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nova_direct processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nova_direct processes execute with the nova_direct_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_direct_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_direct_t SELinux type can be entered via the "nova_direct_exec_t" file type. The default entrypoint paths for the nova_direct_t domain are the following:"
++
++/usr/bin/nova-direct-api
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_direct policy is very flexible allowing users to setup their nova_direct processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_direct:
++
++.EX
++.B nova_direct_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -51369,27 +55519,9 @@ index 0000000..1198be5
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_direct policy is very flexible allowing users to setup their nova_direct processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_direct:
-+
-+.EX
-+.B nova_direct_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nova_direct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nova_direct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nova_direct_tmp_t
@@ -51413,6 +55545,8 @@ index 0000000..1198be5
+ /var/run/nova(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -51432,21 +55566,50 @@ index 0000000..1198be5
+
+.SH "SEE ALSO"
+selinux(8), nova_direct(8), semanage(8), restorecon(8), chcon(1)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nova_network_selinux.8 b/man/man8/nova_network_selinux.8
new file mode 100644
-index 0000000..a9485e6
+index 0000000..a7f0264
--- /dev/null
+++ b/man/man8/nova_network_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,127 @@
+.TH "nova_network_selinux" "8" "nova_network" "dwalsh at redhat.com" "nova_network SELinux Policy documentation"
+.SH "NAME"
+nova_network_selinux \- Security Enhanced Linux Policy for the nova_network processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nova_network processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nova_network processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nova_network processes execute with the nova_network_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_network_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_network_t SELinux type can be entered via the "nova_network_exec_t" file type. The default entrypoint paths for the nova_network_t domain are the following:"
++
++/usr/bin/nova-network
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_network policy is very flexible allowing users to setup their nova_network processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_network:
++
++.EX
++.B nova_network_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -51490,27 +55653,9 @@ index 0000000..a9485e6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_network policy is very flexible allowing users to setup their nova_network processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_network:
-+
-+.EX
-+.B nova_network_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nova_network_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nova_network_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nova_log_t
@@ -51534,6 +55679,8 @@ index 0000000..a9485e6
+ /var/run/nova(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -51553,21 +55700,50 @@ index 0000000..a9485e6
+
+.SH "SEE ALSO"
+selinux(8), nova_network(8), semanage(8), restorecon(8), chcon(1)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nova_objectstore_selinux.8 b/man/man8/nova_objectstore_selinux.8
new file mode 100644
-index 0000000..cb98335
+index 0000000..d20507b
--- /dev/null
+++ b/man/man8/nova_objectstore_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,127 @@
+.TH "nova_objectstore_selinux" "8" "nova_objectstore" "dwalsh at redhat.com" "nova_objectstore SELinux Policy documentation"
+.SH "NAME"
+nova_objectstore_selinux \- Security Enhanced Linux Policy for the nova_objectstore processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nova_objectstore processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nova_objectstore processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nova_objectstore processes execute with the nova_objectstore_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_objectstore_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_objectstore_t SELinux type can be entered via the "nova_objectstore_exec_t" file type. The default entrypoint paths for the nova_objectstore_t domain are the following:"
++
++/usr/bin/nova-objectstore
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_objectstore policy is very flexible allowing users to setup their nova_objectstore processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_objectstore:
++
++.EX
++.B nova_objectstore_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -51611,27 +55787,9 @@ index 0000000..cb98335
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_objectstore policy is very flexible allowing users to setup their nova_objectstore processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_objectstore:
-+
-+.EX
-+.B nova_objectstore_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nova_objectstore_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nova_objectstore_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nova_log_t
@@ -51655,6 +55813,8 @@ index 0000000..cb98335
+ /var/run/nova(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -51674,21 +55834,50 @@ index 0000000..cb98335
+
+.SH "SEE ALSO"
+selinux(8), nova_objectstore(8), semanage(8), restorecon(8), chcon(1)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nova_scheduler_selinux.8 b/man/man8/nova_scheduler_selinux.8
new file mode 100644
-index 0000000..c8be529
+index 0000000..3d83e0a
--- /dev/null
+++ b/man/man8/nova_scheduler_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,127 @@
+.TH "nova_scheduler_selinux" "8" "nova_scheduler" "dwalsh at redhat.com" "nova_scheduler SELinux Policy documentation"
+.SH "NAME"
+nova_scheduler_selinux \- Security Enhanced Linux Policy for the nova_scheduler processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nova_scheduler processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nova_scheduler processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nova_scheduler processes execute with the nova_scheduler_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_scheduler_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_scheduler_t SELinux type can be entered via the "nova_scheduler_exec_t" file type. The default entrypoint paths for the nova_scheduler_t domain are the following:"
++
++/usr/bin/nova-scheduler
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_scheduler policy is very flexible allowing users to setup their nova_scheduler processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_scheduler:
++
++.EX
++.B nova_scheduler_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -51732,27 +55921,9 @@ index 0000000..c8be529
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_scheduler policy is very flexible allowing users to setup their nova_scheduler processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_scheduler:
-+
-+.EX
-+.B nova_scheduler_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nova_scheduler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nova_scheduler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nova_log_t
@@ -51776,6 +55947,8 @@ index 0000000..c8be529
+ /var/run/nova(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -51795,21 +55968,50 @@ index 0000000..c8be529
+
+.SH "SEE ALSO"
+selinux(8), nova_scheduler(8), semanage(8), restorecon(8), chcon(1)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nova_vncproxy_selinux.8 b/man/man8/nova_vncproxy_selinux.8
new file mode 100644
-index 0000000..c70cb21
+index 0000000..fc14781
--- /dev/null
+++ b/man/man8/nova_vncproxy_selinux.8
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,135 @@
+.TH "nova_vncproxy_selinux" "8" "nova_vncproxy" "dwalsh at redhat.com" "nova_vncproxy SELinux Policy documentation"
+.SH "NAME"
+nova_vncproxy_selinux \- Security Enhanced Linux Policy for the nova_vncproxy processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nova_vncproxy processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nova_vncproxy processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nova_vncproxy processes execute with the nova_vncproxy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_vncproxy_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_vncproxy_t SELinux type can be entered via the "nova_vncproxy_exec_t" file type. The default entrypoint paths for the nova_vncproxy_t domain are the following:"
++
++/usr/bin/nova-vncproxy, /usr/bin/nova-xvpvncproxy
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_vncproxy policy is very flexible allowing users to setup their nova_vncproxy processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_vncproxy:
++
++.EX
++.B nova_vncproxy_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -51861,27 +56063,9 @@ index 0000000..c70cb21
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_vncproxy policy is very flexible allowing users to setup their nova_vncproxy processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_vncproxy:
-+
-+.EX
-+.B nova_vncproxy_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nova_vncproxy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nova_vncproxy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nova_log_t
@@ -51905,6 +56089,8 @@ index 0000000..c70cb21
+.B nova_vncproxy_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -51924,21 +56110,50 @@ index 0000000..c70cb21
+
+.SH "SEE ALSO"
+selinux(8), nova_vncproxy(8), semanage(8), restorecon(8), chcon(1)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_volume_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nova_volume_selinux.8 b/man/man8/nova_volume_selinux.8
new file mode 100644
-index 0000000..0867727
+index 0000000..d7d149e
--- /dev/null
+++ b/man/man8/nova_volume_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,127 @@
+.TH "nova_volume_selinux" "8" "nova_volume" "dwalsh at redhat.com" "nova_volume SELinux Policy documentation"
+.SH "NAME"
+nova_volume_selinux \- Security Enhanced Linux Policy for the nova_volume processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nova_volume processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nova_volume processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nova_volume processes execute with the nova_volume_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep nova_volume_t
++
++
++.SH "ENTRYPOINTS"
++
++The nova_volume_t SELinux type can be entered via the "nova_volume_exec_t" file type. The default entrypoint paths for the nova_volume_t domain are the following:"
++
++/usr/bin/nova-volume
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nova_volume policy is very flexible allowing users to setup their nova_volume processes in as secure a method as possible.
++.PP
++The following process types are defined for nova_volume:
++
++.EX
++.B nova_volume_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -51982,27 +56197,9 @@ index 0000000..0867727
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nova_volume policy is very flexible allowing users to setup their nova_volume processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nova_volume:
-+
-+.EX
-+.B nova_volume_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nova_volume_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nova_volume_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nova_log_t
@@ -52026,6 +56223,8 @@ index 0000000..0867727
+.B nova_volume_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -52045,35 +56244,50 @@ index 0000000..0867727
+
+.SH "SEE ALSO"
+selinux(8), nova_volume(8), semanage(8), restorecon(8), chcon(1)
++, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nrpe_selinux.8 b/man/man8/nrpe_selinux.8
new file mode 100644
-index 0000000..6656a32
+index 0000000..e4518db
--- /dev/null
+++ b/man/man8/nrpe_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "nrpe_selinux" "8" "nrpe" "dwalsh at redhat.com" "nrpe SELinux Policy documentation"
+.SH "NAME"
+nrpe_selinux \- Security Enhanced Linux Policy for the nrpe processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nrpe processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nrpe processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nrpe processes execute with the nrpe_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nrpe_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep nrpe_t
++
++
++.SH "ENTRYPOINTS"
++
++The nrpe_t SELinux type can be entered via the "nrpe_exec_t" file type. The default entrypoint paths for the nrpe_t domain are the following:"
+
++/usr/s?bin/nrpe
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the nrpe_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible.
++.PP
++The following process types are defined for nrpe:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B nrpe_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -52117,32 +56331,30 @@ index 0000000..6656a32
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nrpe:
-+
-+.EX
-+.B nrpe_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nrpe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nrpe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nrpe_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nrpe_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nrpe_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -52164,43 +56376,56 @@ index 0000000..6656a32
+selinux(8), nrpe(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/nscd_selinux.8 b/man/man8/nscd_selinux.8
new file mode 100644
-index 0000000..aeb9ee4
+index 0000000..0aaac5e
--- /dev/null
+++ b/man/man8/nscd_selinux.8
-@@ -0,0 +1,168 @@
+@@ -0,0 +1,179 @@
+.TH "nscd_selinux" "8" "nscd" "dwalsh at redhat.com" "nscd SELinux Policy documentation"
+.SH "NAME"
+nscd_selinux \- Security Enhanced Linux Policy for the nscd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nscd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nscd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. nscd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nscd with the tightest access possible.
++The nscd processes execute with the nscd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean.
++.B ps -eZ | grep nscd_t
+
-+.EX
-+.B setsebool -P nscd_use_shm 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The nscd_t SELinux type can be entered via the "nscd_exec_t" file type. The default entrypoint paths for the nscd_t domain are the following:"
+
++/usr/sbin/nscd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nscd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nscd policy is very flexible allowing users to setup their nscd processes in as secure a method as possible.
++.PP
++The following process types are defined for nscd:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B nscd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. nscd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nscd with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the nscd_t, you must turn on the kerberos_enabled boolean.
++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P nscd_use_shm 1
+.EE
+
+.SH FILE CONTEXTS
@@ -52265,27 +56490,9 @@ index 0000000..aeb9ee4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nscd policy is very flexible allowing users to setup their nscd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nscd:
-+
-+.EX
-+.B nscd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nscd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nscd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nscd_log_t
@@ -52313,6 +56520,22 @@ index 0000000..aeb9ee4
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nscd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nscd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -52339,33 +56562,46 @@ index 0000000..aeb9ee4
\ No newline at end of file
diff --git a/man/man8/nslcd_selinux.8 b/man/man8/nslcd_selinux.8
new file mode 100644
-index 0000000..39b5918
+index 0000000..c4426c1
--- /dev/null
+++ b/man/man8/nslcd_selinux.8
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,132 @@
+.TH "nslcd_selinux" "8" "nslcd" "dwalsh at redhat.com" "nslcd SELinux Policy documentation"
+.SH "NAME"
+nslcd_selinux \- Security Enhanced Linux Policy for the nslcd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nslcd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nslcd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nslcd processes execute with the nslcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nslcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep nslcd_t
++
++
++.SH "ENTRYPOINTS"
+
++The nslcd_t SELinux type can be entered via the "nslcd_exec_t" file type. The default entrypoint paths for the nslcd_t domain are the following:"
++
++/usr/sbin/nslcd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the nslcd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nslcd policy is very flexible allowing users to setup their nslcd processes in as secure a method as possible.
++.PP
++The following process types are defined for nslcd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B nslcd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -52417,27 +56653,9 @@ index 0000000..39b5918
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nslcd policy is very flexible allowing users to setup their nslcd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nslcd:
-+
-+.EX
-+.B nslcd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nslcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nslcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nslcd_var_run_t
@@ -52445,6 +56663,22 @@ index 0000000..39b5918
+ /var/run/nslcd(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nslcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nslcd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -52466,33 +56700,46 @@ index 0000000..39b5918
+selinux(8), nslcd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ntop_selinux.8 b/man/man8/ntop_selinux.8
new file mode 100644
-index 0000000..8dbc99f
+index 0000000..3fdc8b0
--- /dev/null
+++ b/man/man8/ntop_selinux.8
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,186 @@
+.TH "ntop_selinux" "8" "ntop" "dwalsh at redhat.com" "ntop SELinux Policy documentation"
+.SH "NAME"
+ntop_selinux \- Security Enhanced Linux Policy for the ntop processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ntop processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ntop processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ntop processes execute with the ntop_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntop_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep ntop_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The ntop_t SELinux type can be entered via the "ntop_exec_t" file type. The default entrypoint paths for the ntop_t domain are the following:"
++
++/usr/bin/ntop
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ntop_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible.
++.PP
++The following process types are defined for ntop:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ntop_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -52585,27 +56832,9 @@ index 0000000..8dbc99f
+.EE
+udp 3000-3001
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ntop:
-+
-+.EX
-+.B ntop_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ntop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ntop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ntop_tmp_t
@@ -52623,6 +56852,22 @@ index 0000000..8dbc99f
+ /var/run/ntop\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntop_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ntop_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -52647,33 +56892,46 @@ index 0000000..8dbc99f
+selinux(8), ntop(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ntpd_selinux.8 b/man/man8/ntpd_selinux.8
new file mode 100644
-index 0000000..12218b3
+index 0000000..ff6d5c6
--- /dev/null
+++ b/man/man8/ntpd_selinux.8
-@@ -0,0 +1,239 @@
+@@ -0,0 +1,250 @@
+.TH "ntpd_selinux" "8" "ntpd" "dwalsh at redhat.com" "ntpd SELinux Policy documentation"
+.SH "NAME"
+ntpd_selinux \- Security Enhanced Linux Policy for the ntpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ntpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ntpd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ntpd processes execute with the ntpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep ntpd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The ntpd_t SELinux type can be entered via the "ntpd_exec_t,ntpdate_exec_t" file types. The default entrypoint paths for the ntpd_t domain are the following:"
++
++/usr/sbin/ntpd, /etc/cron\.(daily|weekly)/ntp-server, /etc/cron\.(daily|weekly)/ntp-simple, /usr/sbin/ntpdate
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ntpd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible.
++.PP
++The following process types are defined for ntpd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ntpd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -52800,27 +57058,9 @@ index 0000000..12218b3
+Default Defined Ports:
+udp 123
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ntpd:
-+
-+.EX
-+.B ntpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ntpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ntpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B gpsd_tmpfs_t
@@ -52868,6 +57108,22 @@ index 0000000..12218b3
+ /usr/lib/udev/devices/shm
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ntpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -52892,19 +57148,46 @@ index 0000000..12218b3
+selinux(8), ntpd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/numad_selinux.8 b/man/man8/numad_selinux.8
new file mode 100644
-index 0000000..f32b8bd
+index 0000000..eeb28c0
--- /dev/null
+++ b/man/man8/numad_selinux.8
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,124 @@
+.TH "numad_selinux" "8" "numad" "dwalsh at redhat.com" "numad SELinux Policy documentation"
+.SH "NAME"
+numad_selinux \- Security Enhanced Linux Policy for the numad processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the numad processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the numad processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The numad processes execute with the numad_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep numad_t
++
++
++.SH "ENTRYPOINTS"
++
++The numad_t SELinux type can be entered via the "numad_exec_t" file type. The default entrypoint paths for the numad_t domain are the following:"
++
++/usr/bin/numad
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible.
++.PP
++The following process types are defined for numad:
++
++.EX
++.B numad_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -52956,27 +57239,9 @@ index 0000000..f32b8bd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible.
-+.PP
-+The following process types are defined for numad:
-+
-+.EX
-+.B numad_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type numad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type numad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B numad_var_log_t
@@ -52990,6 +57255,8 @@ index 0000000..f32b8bd
+ /var/run/numad\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -53011,33 +57278,46 @@ index 0000000..f32b8bd
+selinux(8), numad(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/nut_upsd_selinux.8 b/man/man8/nut_upsd_selinux.8
new file mode 100644
-index 0000000..efd7061
+index 0000000..9849ffd
--- /dev/null
+++ b/man/man8/nut_upsd_selinux.8
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,121 @@
+.TH "nut_upsd_selinux" "8" "nut_upsd" "dwalsh at redhat.com" "nut_upsd SELinux Policy documentation"
+.SH "NAME"
+nut_upsd_selinux \- Security Enhanced Linux Policy for the nut_upsd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nut_upsd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nut_upsd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nut_upsd processes execute with the nut_upsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep nut_upsd_t
++
++
++.SH "ENTRYPOINTS"
++
++The nut_upsd_t SELinux type can be entered via the "nut_upsd_exec_t" file type. The default entrypoint paths for the nut_upsd_t domain are the following:"
+
++/usr/sbin/upsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nut_upsd policy is very flexible allowing users to setup their nut_upsd processes in as secure a method as possible.
++.PP
++The following process types are defined for nut_upsd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B nut_upsd_t, nut_upsmon_t, nut_upsdrvctl_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -53077,27 +57357,9 @@ index 0000000..efd7061
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nut_upsd policy is very flexible allowing users to setup their nut_upsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nut_upsd:
-+
-+.EX
-+.B nut_upsd_t, nut_upsmon_t, nut_upsdrvctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nut_upsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nut_upsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nut_var_run_t
@@ -53105,6 +57367,22 @@ index 0000000..efd7061
+ /var/run/nut(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -53128,33 +57406,46 @@ index 0000000..efd7061
\ No newline at end of file
diff --git a/man/man8/nut_upsdrvctl_selinux.8 b/man/man8/nut_upsdrvctl_selinux.8
new file mode 100644
-index 0000000..44c6d00
+index 0000000..6c6f730
--- /dev/null
+++ b/man/man8/nut_upsdrvctl_selinux.8
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,113 @@
+.TH "nut_upsdrvctl_selinux" "8" "nut_upsdrvctl" "dwalsh at redhat.com" "nut_upsdrvctl SELinux Policy documentation"
+.SH "NAME"
+nut_upsdrvctl_selinux \- Security Enhanced Linux Policy for the nut_upsdrvctl processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nut_upsdrvctl processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nut_upsdrvctl processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nut_upsdrvctl processes execute with the nut_upsdrvctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsdrvctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep nut_upsdrvctl_t
+
++
++.SH "ENTRYPOINTS"
++
++The nut_upsdrvctl_t SELinux type can be entered via the "nut_upsdrvctl_exec_t" file type. The default entrypoint paths for the nut_upsdrvctl_t domain are the following:"
++
++/usr/sbin/upsdrvctl, /sbin/upsdrvctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the nut_upsdrvctl_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nut_upsdrvctl policy is very flexible allowing users to setup their nut_upsdrvctl processes in as secure a method as possible.
++.PP
++The following process types are defined for nut_upsdrvctl:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B nut_upsdrvctl_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -53186,27 +57477,9 @@ index 0000000..44c6d00
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nut_upsdrvctl policy is very flexible allowing users to setup their nut_upsdrvctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nut_upsdrvctl:
-+
-+.EX
-+.B nut_upsdrvctl_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nut_upsdrvctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nut_upsdrvctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nut_var_run_t
@@ -53214,6 +57487,22 @@ index 0000000..44c6d00
+ /var/run/nut(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsdrvctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nut_upsdrvctl_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -53233,37 +57522,50 @@ index 0000000..44c6d00
+
+.SH "SEE ALSO"
+selinux(8), nut_upsdrvctl(8), semanage(8), restorecon(8), chcon(1)
-+, nut_upsd_selinux(8)
++, nut_upsd_selinux(8), nut_upsd_selinux(8), nut_upsmon_selinux(8)
\ No newline at end of file
diff --git a/man/man8/nut_upsmon_selinux.8 b/man/man8/nut_upsmon_selinux.8
new file mode 100644
-index 0000000..165cca3
+index 0000000..0628e55
--- /dev/null
+++ b/man/man8/nut_upsmon_selinux.8
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,183 @@
+.TH "nut_upsmon_selinux" "8" "nut_upsmon" "dwalsh at redhat.com" "nut_upsmon SELinux Policy documentation"
+.SH "NAME"
+nut_upsmon_selinux \- Security Enhanced Linux Policy for the nut_upsmon processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the nut_upsmon processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the nut_upsmon processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The nut_upsmon processes execute with the nut_upsmon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsmon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep nut_upsmon_t
++
++
++.SH "ENTRYPOINTS"
+
++The nut_upsmon_t SELinux type can be entered via the "nut_upsmon_exec_t" file type. The default entrypoint paths for the nut_upsmon_t domain are the following:"
++
++/usr/sbin/upsmon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the nut_upsmon_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux nut_upsmon policy is very flexible allowing users to setup their nut_upsmon processes in as secure a method as possible.
++.PP
++The following process types are defined for nut_upsmon:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B nut_upsmon_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -53291,27 +57593,9 @@ index 0000000..165cca3
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux nut_upsmon policy is very flexible allowing users to setup their nut_upsmon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for nut_upsmon:
-+
-+.EX
-+.B nut_upsmon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type nut_upsmon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nut_upsmon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_runtime_t
@@ -53393,6 +57677,22 @@ index 0000000..165cca3
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsmon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the nut_upsmon_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -53412,12 +57712,14 @@ index 0000000..165cca3
+
+.SH "SEE ALSO"
+selinux(8), nut_upsmon(8), semanage(8), restorecon(8), chcon(1)
++, nut_upsd_selinux(8), nut_upsdrvctl_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/nx_server_selinux.8 b/man/man8/nx_server_selinux.8
new file mode 100644
-index 0000000..f93f088
+index 0000000..9640baa
--- /dev/null
+++ b/man/man8/nx_server_selinux.8
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,125 @@
+.TH "nx_server_selinux" "8" "nx_server" "mgrepl at redhat.com" "nx_server SELinux Policy documentation"
+.SH "NAME"
+nx_server_r \- \fBnx_server user role\fP - Security Enhanced Linux Policy
@@ -53462,7 +57764,7 @@ index 0000000..f93f088
+
+.SH "MANAGED FILES"
+
-+The SELinux user type nx_server_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type nx_server_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B nx_server_home_ssh_t
@@ -53515,6 +57817,14 @@ index 0000000..f93f088
+.br
+ /home/[^/]*/\.shosts
+.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -53537,19 +57847,46 @@ index 0000000..f93f088
+selinux(8), nx_server(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/obex_selinux.8 b/man/man8/obex_selinux.8
new file mode 100644
-index 0000000..d901467
+index 0000000..40bb313
--- /dev/null
+++ b/man/man8/obex_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,88 @@
+.TH "obex_selinux" "8" "obex" "dwalsh at redhat.com" "obex SELinux Policy documentation"
+.SH "NAME"
+obex_selinux \- Security Enhanced Linux Policy for the obex processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the obex processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the obex processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The obex processes execute with the obex_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep obex_t
++
++
++.SH "ENTRYPOINTS"
++
++The obex_t SELinux type can be entered via the "obex_exec_t" file type. The default entrypoint paths for the obex_t domain are the following:"
++
++/usr/bin/obex-data-server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux obex policy is very flexible allowing users to setup their obex processes in as secure a method as possible.
++.PP
++The following process types are defined for obex:
++
++.EX
++.B obex_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -53577,27 +57914,11 @@ index 0000000..d901467
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux obex policy is very flexible allowing users to setup their obex processes in as secure a method as possible.
-+.PP
-+The following process types are defined for obex:
-+
-+.EX
-+.B obex_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type obex_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type obex_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -53620,33 +57941,46 @@ index 0000000..d901467
+selinux(8), obex(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/oddjob_mkhomedir_selinux.8 b/man/man8/oddjob_mkhomedir_selinux.8
new file mode 100644
-index 0000000..d79ae34
+index 0000000..9596017
--- /dev/null
+++ b/man/man8/oddjob_mkhomedir_selinux.8
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,119 @@
+.TH "oddjob_mkhomedir_selinux" "8" "oddjob_mkhomedir" "dwalsh at redhat.com" "oddjob_mkhomedir SELinux Policy documentation"
+.SH "NAME"
+oddjob_mkhomedir_selinux \- Security Enhanced Linux Policy for the oddjob_mkhomedir processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the oddjob_mkhomedir processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the oddjob_mkhomedir processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The oddjob_mkhomedir processes execute with the oddjob_mkhomedir_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the oddjob_mkhomedir_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep oddjob_mkhomedir_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The oddjob_mkhomedir_t SELinux type can be entered via the "oddjob_mkhomedir_exec_t" file type. The default entrypoint paths for the oddjob_mkhomedir_t domain are the following:"
++
++/usr/libexec/oddjob/mkhomedir, /usr/lib/oddjob/mkhomedir
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux oddjob_mkhomedir policy is very flexible allowing users to setup their oddjob_mkhomedir processes in as secure a method as possible.
++.PP
++The following process types are defined for oddjob_mkhomedir:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B oddjob_mkhomedir_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -53678,27 +58012,9 @@ index 0000000..d79ae34
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux oddjob_mkhomedir policy is very flexible allowing users to setup their oddjob_mkhomedir processes in as secure a method as possible.
-+.PP
-+The following process types are defined for oddjob_mkhomedir:
-+
-+.EX
-+.B oddjob_mkhomedir_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type oddjob_mkhomedir_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type oddjob_mkhomedir_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B security_t
@@ -53712,6 +58028,22 @@ index 0000000..d79ae34
+ all user home files
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the oddjob_mkhomedir_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -53731,47 +58063,60 @@ index 0000000..d79ae34
+
+.SH "SEE ALSO"
+selinux(8), oddjob_mkhomedir(8), semanage(8), restorecon(8), chcon(1)
-+, oddjob_selinux(8)
++, oddjob_selinux(8), oddjob_selinux(8)
\ No newline at end of file
diff --git a/man/man8/oddjob_selinux.8 b/man/man8/oddjob_selinux.8
new file mode 100644
-index 0000000..8ba6cc2
+index 0000000..9b761d1
--- /dev/null
+++ b/man/man8/oddjob_selinux.8
-@@ -0,0 +1,138 @@
+@@ -0,0 +1,149 @@
+.TH "oddjob_selinux" "8" "oddjob" "dwalsh at redhat.com" "oddjob SELinux Policy documentation"
+.SH "NAME"
+oddjob_selinux \- Security Enhanced Linux Policy for the oddjob processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the oddjob processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the oddjob processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. oddjob policy is extremely flexible and has several booleans that allow you to manipulate the policy and run oddjob with the tightest access possible.
++The oddjob processes execute with the oddjob_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean.
++.B ps -eZ | grep oddjob_t
+
-+.EX
-+.B setsebool -P httpd_use_oddjob 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The oddjob_t SELinux type can be entered via the "oddjob_exec_t" file type. The default entrypoint paths for the oddjob_t domain are the following:"
+
++/usr/sbin/oddjobd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the oddjob_mkhomedir_t, oddjob_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux oddjob policy is very flexible allowing users to setup their oddjob processes in as secure a method as possible.
++.PP
++The following process types are defined for oddjob:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B oddjob_mkhomedir_t, oddjob_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. oddjob policy is extremely flexible and has several booleans that allow you to manipulate the policy and run oddjob with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, oddjob_t, you must turn on the kerberos_enabled boolean.
++If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P httpd_use_oddjob 1
+.EE
+
+.SH FILE CONTEXTS
@@ -53820,27 +58165,9 @@ index 0000000..8ba6cc2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux oddjob policy is very flexible allowing users to setup their oddjob processes in as secure a method as possible.
-+.PP
-+The following process types are defined for oddjob:
-+
-+.EX
-+.B oddjob_mkhomedir_t, oddjob_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type oddjob_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type oddjob_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B oddjob_var_run_t
@@ -53854,6 +58181,22 @@ index 0000000..8ba6cc2
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the oddjob_mkhomedir_t, oddjob_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, oddjob_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -53880,19 +58223,46 @@ index 0000000..8ba6cc2
\ No newline at end of file
diff --git a/man/man8/openct_selinux.8 b/man/man8/openct_selinux.8
new file mode 100644
-index 0000000..f7155b6
+index 0000000..40c6bc9
--- /dev/null
+++ b/man/man8/openct_selinux.8
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,110 @@
+.TH "openct_selinux" "8" "openct" "dwalsh at redhat.com" "openct SELinux Policy documentation"
+.SH "NAME"
+openct_selinux \- Security Enhanced Linux Policy for the openct processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the openct processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the openct processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The openct processes execute with the openct_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep openct_t
++
++
++.SH "ENTRYPOINTS"
++
++The openct_t SELinux type can be entered via the "openct_exec_t" file type. The default entrypoint paths for the openct_t domain are the following:"
++
++/usr/sbin/ifdhandler, /usr/sbin/openct-control
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux openct policy is very flexible allowing users to setup their openct processes in as secure a method as possible.
++.PP
++The following process types are defined for openct:
++
++.EX
++.B openct_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -53932,27 +58302,9 @@ index 0000000..f7155b6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux openct policy is very flexible allowing users to setup their openct processes in as secure a method as possible.
-+.PP
-+The following process types are defined for openct:
-+
-+.EX
-+.B openct_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type openct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type openct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B openct_var_run_t
@@ -53964,6 +58316,8 @@ index 0000000..f7155b6
+.B usbfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -53985,19 +58339,46 @@ index 0000000..f7155b6
+selinux(8), openct(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/openshift_cgroup_read_selinux.8 b/man/man8/openshift_cgroup_read_selinux.8
new file mode 100644
-index 0000000..54de9de
+index 0000000..a594edd
--- /dev/null
+++ b/man/man8/openshift_cgroup_read_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,89 @@
+.TH "openshift_cgroup_read_selinux" "8" "openshift_cgroup_read" "dwalsh at redhat.com" "openshift_cgroup_read SELinux Policy documentation"
+.SH "NAME"
+openshift_cgroup_read_selinux \- Security Enhanced Linux Policy for the openshift_cgroup_read processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the openshift_cgroup_read processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the openshift_cgroup_read processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The openshift_cgroup_read processes execute with the openshift_cgroup_read_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep openshift_cgroup_read_t
++
++
++.SH "ENTRYPOINTS"
++
++The openshift_cgroup_read_t SELinux type can be entered via the "openshift_cgroup_read_exec_t" file type. The default entrypoint paths for the openshift_cgroup_read_t domain are the following:"
++
++/usr/bin/rhc-cgroup-read
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux openshift_cgroup_read policy is very flexible allowing users to setup their openshift_cgroup_read processes in as secure a method as possible.
++.PP
++The following process types are defined for openshift_cgroup_read:
++
++.EX
++.B openshift_cgroup_read_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -54025,27 +58406,11 @@ index 0000000..54de9de
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux openshift_cgroup_read policy is very flexible allowing users to setup their openshift_cgroup_read processes in as secure a method as possible.
-+.PP
-+The following process types are defined for openshift_cgroup_read:
-+
-+.EX
-+.B openshift_cgroup_read_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type openshift_cgroup_read_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type openshift_cgroup_read_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -54066,21 +58431,50 @@ index 0000000..54de9de
+
+.SH "SEE ALSO"
+selinux(8), openshift_cgroup_read(8), semanage(8), restorecon(8), chcon(1)
++, openshift_initrc_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/openshift_initrc_selinux.8 b/man/man8/openshift_initrc_selinux.8
new file mode 100644
-index 0000000..e1928fb
+index 0000000..7c72a08
--- /dev/null
+++ b/man/man8/openshift_initrc_selinux.8
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,107 @@
+.TH "openshift_initrc_selinux" "8" "openshift_initrc" "dwalsh at redhat.com" "openshift_initrc SELinux Policy documentation"
+.SH "NAME"
+openshift_initrc_selinux \- Security Enhanced Linux Policy for the openshift_initrc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the openshift_initrc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the openshift_initrc processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The openshift_initrc processes execute with the openshift_initrc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep openshift_initrc_t
++
++
++.SH "ENTRYPOINTS"
++
++The openshift_initrc_t SELinux type can be entered via the "proc_type,file_type,mtrr_device_t,openshift_initrc_exec_t,sysctl_type,filesystem_type,unlabeled_t" file types. The default entrypoint paths for the openshift_initrc_t domain are the following:"
++
++/dev/cpu/mtrr, /usr/bin/rhc-restorer, /etc/rc\.d/init\.d/mcollective, /etc/rc\.d/init\.d/libra
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux openshift_initrc policy is very flexible allowing users to setup their openshift_initrc processes in as secure a method as possible.
++.PP
++The following process types are defined for openshift_initrc:
++
++.EX
++.B openshift_initrc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -54120,27 +58514,9 @@ index 0000000..e1928fb
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux openshift_initrc policy is very flexible allowing users to setup their openshift_initrc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for openshift_initrc:
-+
-+.EX
-+.B openshift_initrc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type openshift_initrc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type openshift_initrc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B file_type
@@ -54148,6 +58524,8 @@ index 0000000..e1928fb
+ all files on the system
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -54167,45 +58545,60 @@ index 0000000..e1928fb
+
+.SH "SEE ALSO"
+selinux(8), openshift_initrc(8), semanage(8), restorecon(8), chcon(1)
++, openshift_cgroup_read_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/openvpn_selinux.8 b/man/man8/openvpn_selinux.8
new file mode 100644
-index 0000000..2140d05
+index 0000000..9b045d6
--- /dev/null
+++ b/man/man8/openvpn_selinux.8
-@@ -0,0 +1,296 @@
+@@ -0,0 +1,307 @@
+.TH "openvpn_selinux" "8" "openvpn" "dwalsh at redhat.com" "openvpn SELinux Policy documentation"
+.SH "NAME"
+openvpn_selinux \- Security Enhanced Linux Policy for the openvpn processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the openvpn processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the openvpn processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. openvpn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openvpn with the tightest access possible.
++The openvpn processes execute with the openvpn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow openvpn to read home directories, you must turn on the openvpn_enable_homedirs boolean.
++.B ps -eZ | grep openvpn_t
+
-+.EX
-+.B setsebool -P openvpn_enable_homedirs 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The openvpn_t SELinux type can be entered via the "openvpn_exec_t" file type. The default entrypoint paths for the openvpn_t domain are the following:"
++
++/usr/sbin/openvpn
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the openvpn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible.
++.PP
++The following process types are defined for openvpn:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B openvpn_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. openvpn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openvpn with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the openvpn_t, you must turn on the kerberos_enabled boolean.
++If you want to allow openvpn to read home directories, you must turn on the openvpn_enable_homedirs boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P openvpn_enable_homedirs 1
+.EE
+
+.SH FILE CONTEXTS
@@ -54311,27 +58704,9 @@ index 0000000..2140d05
+.EE
+udp 1194
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for openvpn:
-+
-+.EX
-+.B openvpn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type openvpn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type openvpn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -54443,6 +58818,22 @@ index 0000000..2140d05
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the openvpn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the openvpn_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -54472,33 +58863,46 @@ index 0000000..2140d05
\ No newline at end of file
diff --git a/man/man8/pacemaker_selinux.8 b/man/man8/pacemaker_selinux.8
new file mode 100644
-index 0000000..6f7f43b
+index 0000000..41d4bf5
--- /dev/null
+++ b/man/man8/pacemaker_selinux.8
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,152 @@
+.TH "pacemaker_selinux" "8" "pacemaker" "dwalsh at redhat.com" "pacemaker SELinux Policy documentation"
+.SH "NAME"
+pacemaker_selinux \- Security Enhanced Linux Policy for the pacemaker processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pacemaker processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pacemaker processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The pacemaker processes execute with the pacemaker_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pacemaker_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep pacemaker_t
++
++
++.SH "ENTRYPOINTS"
+
++The pacemaker_t SELinux type can be entered via the "pacemaker_exec_t" file type. The default entrypoint paths for the pacemaker_t domain are the following:"
++
++/usr/sbin/pacemakerd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the pacemaker_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pacemaker policy is very flexible allowing users to setup their pacemaker processes in as secure a method as possible.
++.PP
++The following process types are defined for pacemaker:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B pacemaker_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -54562,27 +58966,9 @@ index 0000000..6f7f43b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pacemaker policy is very flexible allowing users to setup their pacemaker processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pacemaker:
-+
-+.EX
-+.B pacemaker_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type pacemaker_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type pacemaker_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B pacemaker_var_lib_t
@@ -54598,6 +58984,22 @@ index 0000000..6f7f43b
+ /var/run/crm(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pacemaker_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pacemaker_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -54619,19 +59021,46 @@ index 0000000..6f7f43b
+selinux(8), pacemaker(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/pads_selinux.8 b/man/man8/pads_selinux.8
new file mode 100644
-index 0000000..59f31f3
+index 0000000..7bcd0e1
--- /dev/null
+++ b/man/man8/pads_selinux.8
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,142 @@
+.TH "pads_selinux" "8" "pads" "dwalsh at redhat.com" "pads SELinux Policy documentation"
+.SH "NAME"
+pads_selinux \- Security Enhanced Linux Policy for the pads processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pads processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pads processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The pads processes execute with the pads_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pads_t
++
++
++.SH "ENTRYPOINTS"
++
++The pads_t SELinux type can be entered via the "pads_exec_t" file type. The default entrypoint paths for the pads_t domain are the following:"
++
++/usr/bin/pads
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pads policy is very flexible allowing users to setup their pads processes in as secure a method as possible.
++.PP
++The following process types are defined for pads:
++
++.EX
++.B pads_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -54687,27 +59116,9 @@ index 0000000..59f31f3
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pads policy is very flexible allowing users to setup their pads processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pads:
-+
-+.EX
-+.B pads_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type pads_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type pads_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B pads_config_t
@@ -54735,6 +59146,8 @@ index 0000000..59f31f3
+ /var/spool/prelude-manager(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -54756,33 +59169,46 @@ index 0000000..59f31f3
+selinux(8), pads(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/pam_console_selinux.8 b/man/man8/pam_console_selinux.8
new file mode 100644
-index 0000000..52a061f
+index 0000000..cb82cbb
--- /dev/null
+++ b/man/man8/pam_console_selinux.8
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,107 @@
+.TH "pam_console_selinux" "8" "pam_console" "dwalsh at redhat.com" "pam_console SELinux Policy documentation"
+.SH "NAME"
+pam_console_selinux \- Security Enhanced Linux Policy for the pam_console processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pam_console processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pam_console processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The pam_console processes execute with the pam_console_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pam_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep pam_console_t
++
++
++.SH "ENTRYPOINTS"
+
++The pam_console_t SELinux type can be entered via the "pam_console_exec_t" file type. The default entrypoint paths for the pam_console_t domain are the following:"
++
++/sbin/pam_console_apply, /usr/sbin/pam_console_apply
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the pam_console_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pam_console policy is very flexible allowing users to setup their pam_console processes in as secure a method as possible.
++.PP
++The following process types are defined for pam_console:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B pam_console_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -54814,27 +59240,25 @@ index 0000000..52a061f
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type pam_console_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pam_console policy is very flexible allowing users to setup their pam_console processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pam_console:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pam_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B pam_console_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the pam_console_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type pam_console_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -54855,35 +59279,50 @@ index 0000000..52a061f
+
+.SH "SEE ALSO"
+selinux(8), pam_console(8), semanage(8), restorecon(8), chcon(1)
++, pam_timestamp_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/pam_timestamp_selinux.8 b/man/man8/pam_timestamp_selinux.8
new file mode 100644
-index 0000000..8a4d1da
+index 0000000..59c55cc
--- /dev/null
+++ b/man/man8/pam_timestamp_selinux.8
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,119 @@
+.TH "pam_timestamp_selinux" "8" "pam_timestamp" "dwalsh at redhat.com" "pam_timestamp SELinux Policy documentation"
+.SH "NAME"
+pam_timestamp_selinux \- Security Enhanced Linux Policy for the pam_timestamp processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pam_timestamp processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pam_timestamp processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The pam_timestamp processes execute with the pam_timestamp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pam_timestamp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep pam_timestamp_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The pam_timestamp_t SELinux type can be entered via the "pam_timestamp_exec_t" file type. The default entrypoint paths for the pam_timestamp_t domain are the following:"
++
++/sbin/pam_timestamp_check, /usr/sbin/pam_timestamp_check
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the pam_timestamp_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pam_timestamp policy is very flexible allowing users to setup their pam_timestamp processes in as secure a method as possible.
++.PP
++The following process types are defined for pam_timestamp:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B pam_timestamp_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -54923,32 +59362,30 @@ index 0000000..8a4d1da
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pam_timestamp policy is very flexible allowing users to setup their pam_timestamp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pam_timestamp:
-+
-+.EX
-+.B pam_timestamp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type pam_timestamp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type pam_timestamp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B pam_timestamp_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pam_timestamp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pam_timestamp_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -54968,35 +59405,50 @@ index 0000000..8a4d1da
+
+.SH "SEE ALSO"
+selinux(8), pam_timestamp(8), semanage(8), restorecon(8), chcon(1)
++, pam_console_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/passenger_selinux.8 b/man/man8/passenger_selinux.8
new file mode 100644
-index 0000000..13d501c
+index 0000000..731330b
--- /dev/null
+++ b/man/man8/passenger_selinux.8
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,172 @@
+.TH "passenger_selinux" "8" "passenger" "dwalsh at redhat.com" "passenger SELinux Policy documentation"
+.SH "NAME"
+passenger_selinux \- Security Enhanced Linux Policy for the passenger processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the passenger processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the passenger processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The passenger processes execute with the passenger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passenger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep passenger_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The passenger_t SELinux type can be entered via the "passenger_exec_t" file type. The default entrypoint paths for the passenger_t domain are the following:"
++
++/usr/share/gems/.*/ApplicationPoolServerExecutable, /usr/lib/gems/.*/Passenger.*, /usr/share/gems/.*/Passenger.*, /usr/lib/gems/.*/ApplicationPoolServerExecutable
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the passenger_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux passenger policy is very flexible allowing users to setup their passenger processes in as secure a method as possible.
++.PP
++The following process types are defined for passenger:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B passenger_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -55064,27 +59516,9 @@ index 0000000..13d501c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux passenger policy is very flexible allowing users to setup their passenger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for passenger:
-+
-+.EX
-+.B passenger_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type passenger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type passenger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B passenger_log_t
@@ -55116,6 +59550,22 @@ index 0000000..13d501c
+ /var/lib/puppet(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passenger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the passenger_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -55137,33 +59587,46 @@ index 0000000..13d501c
+selinux(8), passenger(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/passwd_selinux.8 b/man/man8/passwd_selinux.8
new file mode 100644
-index 0000000..6a3a2a2
+index 0000000..20f2645
--- /dev/null
+++ b/man/man8/passwd_selinux.8
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,212 @@
+.TH "passwd_selinux" "8" "passwd" "dwalsh at redhat.com" "passwd SELinux Policy documentation"
+.SH "NAME"
+passwd_selinux \- Security Enhanced Linux Policy for the passwd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the passwd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the passwd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The passwd processes execute with the passwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep passwd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The passwd_t SELinux type can be entered via the "passwd_exec_t" file type. The default entrypoint paths for the passwd_t domain are the following:"
++
++/usr/bin/passwd, /usr/bin/chage
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the passwd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux passwd policy is very flexible allowing users to setup their passwd processes in as secure a method as possible.
++.PP
++The following process types are defined for passwd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B passwd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -55207,27 +59670,9 @@ index 0000000..6a3a2a2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux passwd policy is very flexible allowing users to setup their passwd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for passwd:
-+
-+.EX
-+.B passwd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type passwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type passwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -55323,6 +59768,22 @@ index 0000000..6a3a2a2
+ /etc/security/opasswd\.old
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the passwd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -55344,19 +59805,46 @@ index 0000000..6a3a2a2
+selinux(8), passwd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/pcscd_selinux.8 b/man/man8/pcscd_selinux.8
new file mode 100644
-index 0000000..33f23f3
+index 0000000..538030f
--- /dev/null
+++ b/man/man8/pcscd_selinux.8
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,118 @@
+.TH "pcscd_selinux" "8" "pcscd" "dwalsh at redhat.com" "pcscd SELinux Policy documentation"
+.SH "NAME"
+pcscd_selinux \- Security Enhanced Linux Policy for the pcscd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pcscd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pcscd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The pcscd processes execute with the pcscd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pcscd_t
++
++
++.SH "ENTRYPOINTS"
++
++The pcscd_t SELinux type can be entered via the "pcscd_exec_t" file type. The default entrypoint paths for the pcscd_t domain are the following:"
++
++/usr/sbin/pcscd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pcscd policy is very flexible allowing users to setup their pcscd processes in as secure a method as possible.
++.PP
++The following process types are defined for pcscd:
++
++.EX
++.B pcscd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -55396,27 +59884,9 @@ index 0000000..33f23f3
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pcscd policy is very flexible allowing users to setup their pcscd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pcscd:
-+
-+.EX
-+.B pcscd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type pcscd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type pcscd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B pcscd_var_run_t
@@ -55436,6 +59906,8 @@ index 0000000..33f23f3
+.B usbfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -55457,33 +59929,46 @@ index 0000000..33f23f3
+selinux(8), pcscd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/pegasus_selinux.8 b/man/man8/pegasus_selinux.8
new file mode 100644
-index 0000000..47cf63c
+index 0000000..a249ffd
--- /dev/null
+++ b/man/man8/pegasus_selinux.8
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,285 @@
+.TH "pegasus_selinux" "8" "pegasus" "dwalsh at redhat.com" "pegasus SELinux Policy documentation"
+.SH "NAME"
+pegasus_selinux \- Security Enhanced Linux Policy for the pegasus processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pegasus processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pegasus processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The pegasus processes execute with the pegasus_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pegasus_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep pegasus_t
+
++
++.SH "ENTRYPOINTS"
++
++The pegasus_t SELinux type can be entered via the "pegasus_exec_t" file type. The default entrypoint paths for the pegasus_t domain are the following:"
++
++/usr/sbin/init_repository, /usr/sbin/cimserver
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the pegasus_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible.
++.PP
++The following process types are defined for pegasus:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B pegasus_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -55601,27 +60086,9 @@ index 0000000..47cf63c
+Default Defined Ports:
+tcp 5989
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pegasus:
-+
-+.EX
-+.B pegasus_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type pegasus_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type pegasus_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -55713,6 +60180,22 @@ index 0000000..47cf63c
+ /etc/libvirt
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pegasus_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pegasus_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -55737,33 +60220,46 @@ index 0000000..47cf63c
+selinux(8), pegasus(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/phpfpm_selinux.8 b/man/man8/phpfpm_selinux.8
new file mode 100644
-index 0000000..df354e1
+index 0000000..dc7297c
--- /dev/null
+++ b/man/man8/phpfpm_selinux.8
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,138 @@
+.TH "phpfpm_selinux" "8" "phpfpm" "dwalsh at redhat.com" "phpfpm SELinux Policy documentation"
+.SH "NAME"
+phpfpm_selinux \- Security Enhanced Linux Policy for the phpfpm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the phpfpm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the phpfpm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The phpfpm processes execute with the phpfpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the phpfpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep phpfpm_t
+
++
++.SH "ENTRYPOINTS"
++
++The phpfpm_t SELinux type can be entered via the "phpfpm_exec_t" file type. The default entrypoint paths for the phpfpm_t domain are the following:"
++
++/usr/sbin/php-fpm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the phpfpm_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux phpfpm policy is very flexible allowing users to setup their phpfpm processes in as secure a method as possible.
++.PP
++The following process types are defined for phpfpm:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B phpfpm_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -55815,27 +60311,9 @@ index 0000000..df354e1
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux phpfpm policy is very flexible allowing users to setup their phpfpm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for phpfpm:
-+
-+.EX
-+.B phpfpm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type phpfpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type phpfpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B phpfpm_log_t
@@ -55849,6 +60327,22 @@ index 0000000..df354e1
+ /var/run/php-fpm(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the phpfpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the phpfpm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -55870,43 +60364,56 @@ index 0000000..df354e1
+selinux(8), phpfpm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ping_selinux.8 b/man/man8/ping_selinux.8
new file mode 100644
-index 0000000..70f5047
+index 0000000..7d6ea3c
--- /dev/null
+++ b/man/man8/ping_selinux.8
-@@ -0,0 +1,168 @@
+@@ -0,0 +1,175 @@
+.TH "ping_selinux" "8" "ping" "dwalsh at redhat.com" "ping SELinux Policy documentation"
+.SH "NAME"
+ping_selinux \- Security Enhanced Linux Policy for the ping processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ping processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ping processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. ping policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ping with the tightest access possible.
++The ping processes execute with the ping_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to control users use of ping and traceroute, you must turn on the selinuxuser_ping boolean.
++.B ps -eZ | grep ping_t
+
-+.EX
-+.B setsebool -P selinuxuser_ping 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The ping_t SELinux type can be entered via the "ping_exec_t" file type. The default entrypoint paths for the ping_t domain are the following:"
+
++/usr/bin/ping.*, /usr/sbin/hping2, /usr/sbin/fping.*, /bin/ping.*, /usr/sbin/send_arp
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible.
++.PP
++The following process types are defined for ping:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B ping_t, pingd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. ping policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ping with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean.
++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P selinuxuser_ping 1
+.EE
+
+.SH FILE CONTEXTS
@@ -55994,27 +60501,21 @@ index 0000000..70f5047
+Default Defined Ports:
+tcp 9125
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ping:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B ping_t, pingd_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type ping_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -56045,43 +60546,56 @@ index 0000000..70f5047
\ No newline at end of file
diff --git a/man/man8/pingd_selinux.8 b/man/man8/pingd_selinux.8
new file mode 100644
-index 0000000..ae218b9
+index 0000000..e313ff3
--- /dev/null
+++ b/man/man8/pingd_selinux.8
-@@ -0,0 +1,156 @@
+@@ -0,0 +1,167 @@
+.TH "pingd_selinux" "8" "pingd" "dwalsh at redhat.com" "pingd SELinux Policy documentation"
+.SH "NAME"
+pingd_selinux \- Security Enhanced Linux Policy for the pingd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pingd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pingd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. pingd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pingd with the tightest access possible.
++The pingd processes execute with the pingd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to control users use of ping and traceroute, you must turn on the selinuxuser_ping boolean.
++.B ps -eZ | grep pingd_t
+
-+.EX
-+.B setsebool -P selinuxuser_ping 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The pingd_t SELinux type can be entered via the "pingd_exec_t" file type. The default entrypoint paths for the pingd_t domain are the following:"
++
++/usr/sbin/pingd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible.
++.PP
++The following process types are defined for pingd:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B ping_t, pingd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. pingd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pingd with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean.
++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P selinuxuser_ping 1
+.EE
+
+.SH FILE CONTEXTS
@@ -56157,27 +60671,25 @@ index 0000000..ae218b9
+Default Defined Ports:
+tcp 9125
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type pingd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pingd:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B ping_t, pingd_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type pingd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -56208,33 +60720,46 @@ index 0000000..ae218b9
\ No newline at end of file
diff --git a/man/man8/piranha_fos_selinux.8 b/man/man8/piranha_fos_selinux.8
new file mode 100644
-index 0000000..4fbb05a
+index 0000000..e2eb49c
--- /dev/null
+++ b/man/man8/piranha_fos_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,117 @@
+.TH "piranha_fos_selinux" "8" "piranha_fos" "dwalsh at redhat.com" "piranha_fos SELinux Policy documentation"
+.SH "NAME"
+piranha_fos_selinux \- Security Enhanced Linux Policy for the piranha_fos processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the piranha_fos processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the piranha_fos processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The piranha_fos processes execute with the piranha_fos_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_fos_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep piranha_fos_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The piranha_fos_t SELinux type can be entered via the "piranha_fos_exec_t" file type. The default entrypoint paths for the piranha_fos_t domain are the following:"
++
++/usr/sbin/fos
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the piranha_fos_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux piranha_fos policy is very flexible allowing users to setup their piranha_fos processes in as secure a method as possible.
++.PP
++The following process types are defined for piranha_fos:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B piranha_fos_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -56270,27 +60795,9 @@ index 0000000..4fbb05a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux piranha_fos policy is very flexible allowing users to setup their piranha_fos processes in as secure a method as possible.
-+.PP
-+The following process types are defined for piranha_fos:
-+
-+.EX
-+.B piranha_fos_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type piranha_fos_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type piranha_fos_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B piranha_fos_var_run_t
@@ -56298,6 +60805,22 @@ index 0000000..4fbb05a
+ /var/run/fos\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_fos_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the piranha_fos_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -56317,45 +60840,60 @@ index 0000000..4fbb05a
+
+.SH "SEE ALSO"
+selinux(8), piranha_fos(8), semanage(8), restorecon(8), chcon(1)
++, piranha_lvs_selinux(8), piranha_pulse_selinux(8), piranha_web_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/piranha_lvs_selinux.8 b/man/man8/piranha_lvs_selinux.8
new file mode 100644
-index 0000000..c026032
+index 0000000..66e33aa
--- /dev/null
+++ b/man/man8/piranha_lvs_selinux.8
-@@ -0,0 +1,120 @@
+@@ -0,0 +1,131 @@
+.TH "piranha_lvs_selinux" "8" "piranha_lvs" "dwalsh at redhat.com" "piranha_lvs SELinux Policy documentation"
+.SH "NAME"
+piranha_lvs_selinux \- Security Enhanced Linux Policy for the piranha_lvs processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the piranha_lvs processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the piranha_lvs processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. piranha_lvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run piranha_lvs with the tightest access possible.
++The piranha_lvs processes execute with the piranha_lvs_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow piranha-lvs domain to connect to the network using TCP, you must turn on the piranha_lvs_can_network_connect boolean.
++.B ps -eZ | grep piranha_lvs_t
+
-+.EX
-+.B setsebool -P piranha_lvs_can_network_connect 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The piranha_lvs_t SELinux type can be entered via the "piranha_lvs_exec_t" file type. The default entrypoint paths for the piranha_lvs_t domain are the following:"
+
++/usr/sbin/lvsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_lvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux piranha_lvs policy is very flexible allowing users to setup their piranha_lvs processes in as secure a method as possible.
++.PP
++The following process types are defined for piranha_lvs:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B piranha_lvs_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. piranha_lvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run piranha_lvs with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the piranha_lvs_t, you must turn on the kerberos_enabled boolean.
++If you want to allow piranha-lvs domain to connect to the network using TCP, you must turn on the piranha_lvs_can_network_connect boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P piranha_lvs_can_network_connect 1
+.EE
+
+.SH FILE CONTEXTS
@@ -56392,27 +60930,9 @@ index 0000000..c026032
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux piranha_lvs policy is very flexible allowing users to setup their piranha_lvs processes in as secure a method as possible.
-+.PP
-+The following process types are defined for piranha_lvs:
-+
-+.EX
-+.B piranha_lvs_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type piranha_lvs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type piranha_lvs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B piranha_lvs_var_run_t
@@ -56420,6 +60940,22 @@ index 0000000..c026032
+ /var/run/lvs\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_lvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the piranha_lvs_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -56442,37 +60978,50 @@ index 0000000..c026032
+
+.SH "SEE ALSO"
+selinux(8), piranha_lvs(8), semanage(8), restorecon(8), chcon(1)
-+, setsebool(8)
++, setsebool(8), piranha_fos_selinux(8), piranha_pulse_selinux(8), piranha_web_selinux(8)
\ No newline at end of file
diff --git a/man/man8/piranha_pulse_selinux.8 b/man/man8/piranha_pulse_selinux.8
new file mode 100644
-index 0000000..35a8742
+index 0000000..5cfee79
--- /dev/null
+++ b/man/man8/piranha_pulse_selinux.8
-@@ -0,0 +1,137 @@
+@@ -0,0 +1,149 @@
+.TH "piranha_pulse_selinux" "8" "piranha_pulse" "dwalsh at redhat.com" "piranha_pulse SELinux Policy documentation"
+.SH "NAME"
+piranha_pulse_selinux \- Security Enhanced Linux Policy for the piranha_pulse processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the piranha_pulse processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the piranha_pulse processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The piranha_pulse processes execute with the piranha_pulse_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_pulse_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep piranha_pulse_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The piranha_pulse_t SELinux type can be entered via the "piranha_pulse_exec_t" file type. The default entrypoint paths for the piranha_pulse_t domain are the following:"
++
++/usr/sbin/pulse
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the piranha_pulse_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux piranha_pulse policy is very flexible allowing users to setup their piranha_pulse processes in as secure a method as possible.
++.PP
++The following process types are defined for piranha_pulse:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B piranha_pulse_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -56516,27 +61065,9 @@ index 0000000..35a8742
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux piranha_pulse policy is very flexible allowing users to setup their piranha_pulse processes in as secure a method as possible.
-+.PP
-+The following process types are defined for piranha_pulse:
-+
-+.EX
-+.B piranha_pulse_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type piranha_pulse_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type piranha_pulse_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B piranha_pulse_var_run_t
@@ -56568,6 +61099,22 @@ index 0000000..35a8742
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_pulse_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the piranha_pulse_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -56587,35 +61134,50 @@ index 0000000..35a8742
+
+.SH "SEE ALSO"
+selinux(8), piranha_pulse(8), semanage(8), restorecon(8), chcon(1)
++, piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_web_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/piranha_web_selinux.8 b/man/man8/piranha_web_selinux.8
new file mode 100644
-index 0000000..eb375dd
+index 0000000..628f57e
--- /dev/null
+++ b/man/man8/piranha_web_selinux.8
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,179 @@
+.TH "piranha_web_selinux" "8" "piranha_web" "dwalsh at redhat.com" "piranha_web SELinux Policy documentation"
+.SH "NAME"
+piranha_web_selinux \- Security Enhanced Linux Policy for the piranha_web processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the piranha_web processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the piranha_web processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The piranha_web processes execute with the piranha_web_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_web_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep piranha_web_t
++
++
++.SH "ENTRYPOINTS"
++
++The piranha_web_t SELinux type can be entered via the "piranha_web_exec_t" file type. The default entrypoint paths for the piranha_web_t domain are the following:"
+
++/usr/sbin/piranha_gui
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the piranha_web_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux piranha_web policy is very flexible allowing users to setup their piranha_web processes in as secure a method as possible.
++.PP
++The following process types are defined for piranha_web:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B piranha_web_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -56687,27 +61249,9 @@ index 0000000..eb375dd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux piranha_web policy is very flexible allowing users to setup their piranha_web processes in as secure a method as possible.
-+.PP
-+The following process types are defined for piranha_web:
-+
-+.EX
-+.B piranha_web_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type piranha_web_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type piranha_web_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B piranha_etc_rw_t
@@ -56741,6 +61285,22 @@ index 0000000..eb375dd
+ /var/run/piranha-httpd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_web_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the piranha_web_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -56760,21 +61320,50 @@ index 0000000..eb375dd
+
+.SH "SEE ALSO"
+selinux(8), piranha_web(8), semanage(8), restorecon(8), chcon(1)
++, piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_pulse_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/pkcsslotd_selinux.8 b/man/man8/pkcsslotd_selinux.8
new file mode 100644
-index 0000000..14b8f89
+index 0000000..58418e3
--- /dev/null
+++ b/man/man8/pkcsslotd_selinux.8
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,146 @@
+.TH "pkcsslotd_selinux" "8" "pkcsslotd" "dwalsh at redhat.com" "pkcsslotd SELinux Policy documentation"
+.SH "NAME"
+pkcsslotd_selinux \- Security Enhanced Linux Policy for the pkcsslotd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pkcsslotd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pkcsslotd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The pkcsslotd processes execute with the pkcsslotd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep pkcsslotd_t
++
++
++.SH "ENTRYPOINTS"
++
++The pkcsslotd_t SELinux type can be entered via the "pkcsslotd_exec_t" file type. The default entrypoint paths for the pkcsslotd_t domain are the following:"
++
++/usr/sbin/pkcsslotd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pkcsslotd policy is very flexible allowing users to setup their pkcsslotd processes in as secure a method as possible.
++.PP
++The following process types are defined for pkcsslotd:
++
++.EX
++.B pkcsslotd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -56842,27 +61431,9 @@ index 0000000..14b8f89
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pkcsslotd policy is very flexible allowing users to setup their pkcsslotd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pkcsslotd:
-+
-+.EX
-+.B pkcsslotd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type pkcsslotd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type pkcsslotd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B pkcsslotd_tmp_t
@@ -56882,6 +61453,8 @@ index 0000000..14b8f89
+.B pkcsslotd_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -56903,19 +61476,46 @@ index 0000000..14b8f89
+selinux(8), pkcsslotd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/plymouth_selinux.8 b/man/man8/plymouth_selinux.8
new file mode 100644
-index 0000000..a87fa28
+index 0000000..632125a
--- /dev/null
+++ b/man/man8/plymouth_selinux.8
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,137 @@
+.TH "plymouth_selinux" "8" "plymouth" "dwalsh at redhat.com" "plymouth SELinux Policy documentation"
+.SH "NAME"
+plymouth_selinux \- Security Enhanced Linux Policy for the plymouth processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the plymouth processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the plymouth processes via flexible mandatory access control.
++
++The plymouth processes execute with the plymouth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep plymouth_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The plymouth_t SELinux type can be entered via the "plymouth_exec_t" file type. The default entrypoint paths for the plymouth_t domain are the following:"
++
++/bin/plymouth, /usr/bin/plymouth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux plymouth policy is very flexible allowing users to setup their plymouth processes in as secure a method as possible.
++.PP
++The following process types are defined for plymouth:
++
++.EX
++.B plymouth_t, plymouthd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -56991,27 +61591,11 @@ index 0000000..a87fa28
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux plymouth policy is very flexible allowing users to setup their plymouth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for plymouth:
-+
-+.EX
-+.B plymouth_t, plymouthd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type plymouth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type plymouth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -57036,19 +61620,46 @@ index 0000000..a87fa28
\ No newline at end of file
diff --git a/man/man8/plymouthd_selinux.8 b/man/man8/plymouthd_selinux.8
new file mode 100644
-index 0000000..f2fb21c
+index 0000000..006e0eb
--- /dev/null
+++ b/man/man8/plymouthd_selinux.8
-@@ -0,0 +1,148 @@
+@@ -0,0 +1,159 @@
+.TH "plymouthd_selinux" "8" "plymouthd" "dwalsh at redhat.com" "plymouthd SELinux Policy documentation"
+.SH "NAME"
+plymouthd_selinux \- Security Enhanced Linux Policy for the plymouthd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the plymouthd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the plymouthd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The plymouthd processes execute with the plymouthd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep plymouthd_t
++
++
++.SH "ENTRYPOINTS"
++
++The plymouthd_t SELinux type can be entered via the "plymouthd_exec_t" file type. The default entrypoint paths for the plymouthd_t domain are the following:"
++
++/sbin/plymouthd, /usr/sbin/plymouthd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux plymouthd policy is very flexible allowing users to setup their plymouthd processes in as secure a method as possible.
++.PP
++The following process types are defined for plymouthd:
++
++.EX
++.B plymouth_t, plymouthd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -57112,27 +61723,9 @@ index 0000000..f2fb21c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux plymouthd policy is very flexible allowing users to setup their plymouthd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for plymouthd:
-+
-+.EX
-+.B plymouth_t, plymouthd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type plymouthd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type plymouthd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B fonts_cache_t
@@ -57168,6 +61761,8 @@ index 0000000..f2fb21c
+ /var/spool/[mg]dm(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -57191,19 +61786,46 @@ index 0000000..f2fb21c
\ No newline at end of file
diff --git a/man/man8/podsleuth_selinux.8 b/man/man8/podsleuth_selinux.8
new file mode 100644
-index 0000000..bf9279b
+index 0000000..a823c27
--- /dev/null
+++ b/man/man8/podsleuth_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,130 @@
+.TH "podsleuth_selinux" "8" "podsleuth" "dwalsh at redhat.com" "podsleuth SELinux Policy documentation"
+.SH "NAME"
+podsleuth_selinux \- Security Enhanced Linux Policy for the podsleuth processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the podsleuth processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the podsleuth processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The podsleuth processes execute with the podsleuth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep podsleuth_t
++
++
++.SH "ENTRYPOINTS"
++
++The podsleuth_t SELinux type can be entered via the "podsleuth_exec_t" file type. The default entrypoint paths for the podsleuth_t domain are the following:"
++
++/usr/bin/podsleuth, /usr/libexec/hal-podsleuth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux podsleuth policy is very flexible allowing users to setup their podsleuth processes in as secure a method as possible.
++.PP
++The following process types are defined for podsleuth:
++
++.EX
++.B podsleuth_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -57259,27 +61881,9 @@ index 0000000..bf9279b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux podsleuth policy is very flexible allowing users to setup their podsleuth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for podsleuth:
-+
-+.EX
-+.B podsleuth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type podsleuth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type podsleuth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B podsleuth_cache_t
@@ -57295,6 +61899,8 @@ index 0000000..bf9279b
+.B podsleuth_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -57316,33 +61922,46 @@ index 0000000..bf9279b
+selinux(8), podsleuth(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/policykit_auth_selinux.8 b/man/man8/policykit_auth_selinux.8
new file mode 100644
-index 0000000..f27414d
+index 0000000..aca2876
--- /dev/null
+++ b/man/man8/policykit_auth_selinux.8
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,207 @@
+.TH "policykit_auth_selinux" "8" "policykit_auth" "dwalsh at redhat.com" "policykit_auth SELinux Policy documentation"
+.SH "NAME"
+policykit_auth_selinux \- Security Enhanced Linux Policy for the policykit_auth processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the policykit_auth processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the policykit_auth processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The policykit_auth processes execute with the policykit_auth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep policykit_auth_t
+
++
++.SH "ENTRYPOINTS"
++
++The policykit_auth_t SELinux type can be entered via the "policykit_auth_exec_t" file type. The default entrypoint paths for the policykit_auth_t domain are the following:"
++
++/usr/libexec/polkit-read-auth-helper, /usr/libexec/polkit-1/polkit-agent-helper-1, /usr/lib/polkit-1/polkit-agent-helper-1, /usr/lib/policykit/polkit-read-auth-helper
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the policykit_auth_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux policykit_auth policy is very flexible allowing users to setup their policykit_auth processes in as secure a method as possible.
++.PP
++The following process types are defined for policykit_auth:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B policykit_auth_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -57374,27 +61993,9 @@ index 0000000..f27414d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux policykit_auth policy is very flexible allowing users to setup their policykit_auth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for policykit_auth:
-+
-+.EX
-+.B policykit_auth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type policykit_auth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type policykit_auth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -57496,6 +62097,22 @@ index 0000000..f27414d
+ /var/lib/google-authenticator(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the policykit_auth_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -57515,37 +62132,50 @@ index 0000000..f27414d
+
+.SH "SEE ALSO"
+selinux(8), policykit_auth(8), semanage(8), restorecon(8), chcon(1)
-+, policykit_selinux(8)
++, policykit_selinux(8), policykit_selinux(8), policykit_grant_selinux(8), policykit_resolve_selinux(8)
\ No newline at end of file
diff --git a/man/man8/policykit_grant_selinux.8 b/man/man8/policykit_grant_selinux.8
new file mode 100644
-index 0000000..0253be8
+index 0000000..043ee2f
--- /dev/null
+++ b/man/man8/policykit_grant_selinux.8
-@@ -0,0 +1,148 @@
+@@ -0,0 +1,159 @@
+.TH "policykit_grant_selinux" "8" "policykit_grant" "dwalsh at redhat.com" "policykit_grant SELinux Policy documentation"
+.SH "NAME"
+policykit_grant_selinux \- Security Enhanced Linux Policy for the policykit_grant processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the policykit_grant processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the policykit_grant processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The policykit_grant processes execute with the policykit_grant_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_grant_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep policykit_grant_t
++
++
++.SH "ENTRYPOINTS"
++
++The policykit_grant_t SELinux type can be entered via the "policykit_grant_exec_t" file type. The default entrypoint paths for the policykit_grant_t domain are the following:"
+
++/usr/libexec/polkit-grant-helper.*, /usr/lib/policykit/polkit-grant-helper.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the policykit_grant_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux policykit_grant policy is very flexible allowing users to setup their policykit_grant processes in as secure a method as possible.
++.PP
++The following process types are defined for policykit_grant:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B policykit_grant_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -57577,27 +62207,9 @@ index 0000000..0253be8
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux policykit_grant policy is very flexible allowing users to setup their policykit_grant processes in as secure a method as possible.
-+.PP
-+The following process types are defined for policykit_grant:
-+
-+.EX
-+.B policykit_grant_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type policykit_grant_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type policykit_grant_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -57651,6 +62263,22 @@ index 0000000..0253be8
+.B system_cronjob_var_lib_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_grant_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the policykit_grant_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -57670,37 +62298,50 @@ index 0000000..0253be8
+
+.SH "SEE ALSO"
+selinux(8), policykit_grant(8), semanage(8), restorecon(8), chcon(1)
-+, policykit_selinux(8)
++, policykit_selinux(8), policykit_selinux(8), policykit_auth_selinux(8), policykit_resolve_selinux(8)
\ No newline at end of file
diff --git a/man/man8/policykit_resolve_selinux.8 b/man/man8/policykit_resolve_selinux.8
new file mode 100644
-index 0000000..52e392b
+index 0000000..6a2b1b2
--- /dev/null
+++ b/man/man8/policykit_resolve_selinux.8
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,107 @@
+.TH "policykit_resolve_selinux" "8" "policykit_resolve" "dwalsh at redhat.com" "policykit_resolve SELinux Policy documentation"
+.SH "NAME"
+policykit_resolve_selinux \- Security Enhanced Linux Policy for the policykit_resolve processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the policykit_resolve processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the policykit_resolve processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The policykit_resolve processes execute with the policykit_resolve_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep policykit_resolve_t
++
++
++.SH "ENTRYPOINTS"
+
++The policykit_resolve_t SELinux type can be entered via the "policykit_resolve_exec_t" file type. The default entrypoint paths for the policykit_resolve_t domain are the following:"
++
++/usr/lib/policykit/polkit-resolve-exe-helper.*, /usr/libexec/polkit-resolve-exe-helper.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the policykit_resolve_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux policykit_resolve policy is very flexible allowing users to setup their policykit_resolve processes in as secure a method as possible.
++.PP
++The following process types are defined for policykit_resolve:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B policykit_resolve_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -57732,27 +62373,25 @@ index 0000000..52e392b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type policykit_resolve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux policykit_resolve policy is very flexible allowing users to setup their policykit_resolve processes in as secure a method as possible.
-+.PP
-+The following process types are defined for policykit_resolve:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B policykit_resolve_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the policykit_resolve_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type policykit_resolve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -57773,37 +62412,50 @@ index 0000000..52e392b
+
+.SH "SEE ALSO"
+selinux(8), policykit_resolve(8), semanage(8), restorecon(8), chcon(1)
-+, policykit_selinux(8)
++, policykit_selinux(8), policykit_selinux(8), policykit_auth_selinux(8), policykit_grant_selinux(8)
\ No newline at end of file
diff --git a/man/man8/policykit_selinux.8 b/man/man8/policykit_selinux.8
new file mode 100644
-index 0000000..3e023fe
+index 0000000..4a9451b
--- /dev/null
+++ b/man/man8/policykit_selinux.8
-@@ -0,0 +1,218 @@
+@@ -0,0 +1,229 @@
+.TH "policykit_selinux" "8" "policykit" "dwalsh at redhat.com" "policykit SELinux Policy documentation"
+.SH "NAME"
+policykit_selinux \- Security Enhanced Linux Policy for the policykit processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the policykit processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the policykit processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The policykit processes execute with the policykit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep policykit_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The policykit_t SELinux type can be entered via the "policykit_exec_t" file type. The default entrypoint paths for the policykit_t domain are the following:"
++
++/usr/lib/polkit-1/polkitd, /usr/libexec/polkitd.*, /usr/libexec/polkit-1/polkitd.*, /usr/lib/policykit/polkitd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux policykit policy is very flexible allowing users to setup their policykit processes in as secure a method as possible.
++.PP
++The following process types are defined for policykit:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -57907,27 +62559,9 @@ index 0000000..3e023fe
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux policykit policy is very flexible allowing users to setup their policykit processes in as secure a method as possible.
-+.PP
-+The following process types are defined for policykit:
-+
-+.EX
-+.B policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type policykit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type policykit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B krb5_host_rcache_t
@@ -57979,6 +62613,22 @@ index 0000000..3e023fe
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -58002,17 +62652,46 @@ index 0000000..3e023fe
\ No newline at end of file
diff --git a/man/man8/polipo_selinux.8 b/man/man8/polipo_selinux.8
new file mode 100644
-index 0000000..b549de6
+index 0000000..9ee292a
--- /dev/null
+++ b/man/man8/polipo_selinux.8
-@@ -0,0 +1,216 @@
+@@ -0,0 +1,227 @@
+.TH "polipo_selinux" "8" "polipo" "dwalsh at redhat.com" "polipo SELinux Policy documentation"
+.SH "NAME"
+polipo_selinux \- Security Enhanced Linux Policy for the polipo processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the polipo processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the polipo processes via flexible mandatory access control.
++
++The polipo processes execute with the polipo_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep polipo_t
++
++
++.SH "ENTRYPOINTS"
++
++The polipo_t SELinux type can be entered via the "polipo_exec_t" file type. The default entrypoint paths for the polipo_t domain are the following:"
++
++/usr/bin/polipo
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux polipo policy is very flexible allowing users to setup their polipo processes in as secure a method as possible.
++.PP
++The following process types are defined for polipo:
++
++.EX
++.B polipo_t, polipo_session_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. polipo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run polipo with the tightest access possible.
@@ -58053,22 +62732,6 @@ index 0000000..b549de6
+.B setsebool -P polipo_use_nfs 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the polipo_t, polipo_session_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the polipo_t, polipo_session_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -58159,27 +62822,9 @@ index 0000000..b549de6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux polipo policy is very flexible allowing users to setup their polipo processes in as secure a method as possible.
-+.PP
-+The following process types are defined for polipo:
-+
-+.EX
-+.B polipo_t, polipo_session_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type polipo_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type polipo_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B polipo_cache_t
@@ -58199,6 +62844,22 @@ index 0000000..b549de6
+ /var/run/polipo(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the polipo_t, polipo_session_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the polipo_t, polipo_session_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -58225,19 +62886,46 @@ index 0000000..b549de6
\ No newline at end of file
diff --git a/man/man8/portmap_helper_selinux.8 b/man/man8/portmap_helper_selinux.8
new file mode 100644
-index 0000000..9b712c7
+index 0000000..9f96794
--- /dev/null
+++ b/man/man8/portmap_helper_selinux.8
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,127 @@
+.TH "portmap_helper_selinux" "8" "portmap_helper" "dwalsh at redhat.com" "portmap_helper SELinux Policy documentation"
+.SH "NAME"
+portmap_helper_selinux \- Security Enhanced Linux Policy for the portmap_helper processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the portmap_helper processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the portmap_helper processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The portmap_helper processes execute with the portmap_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep portmap_helper_t
++
++
++.SH "ENTRYPOINTS"
++
++The portmap_helper_t SELinux type can be entered via the "portmap_helper_exec_t" file type. The default entrypoint paths for the portmap_helper_t domain are the following:"
++
++/usr/sbin/pmap_set, /usr/sbin/pmap_dump
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux portmap_helper policy is very flexible allowing users to setup their portmap_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for portmap_helper:
++
++.EX
++.B portmap_helper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -58269,27 +62957,9 @@ index 0000000..9b712c7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux portmap_helper policy is very flexible allowing users to setup their portmap_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for portmap_helper:
-+
-+.EX
-+.B portmap_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type portmap_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type portmap_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B initrc_var_run_t
@@ -58325,6 +62995,8 @@ index 0000000..9b712c7
+ /var/spool/postfix/pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -58344,47 +63016,60 @@ index 0000000..9b712c7
+
+.SH "SEE ALSO"
+selinux(8), portmap_helper(8), semanage(8), restorecon(8), chcon(1)
-+, portmap_selinux(8)
++, portmap_selinux(8), portmap_selinux(8)
\ No newline at end of file
diff --git a/man/man8/portmap_selinux.8 b/man/man8/portmap_selinux.8
new file mode 100644
-index 0000000..fce3393
+index 0000000..1fe741f
--- /dev/null
+++ b/man/man8/portmap_selinux.8
-@@ -0,0 +1,176 @@
+@@ -0,0 +1,187 @@
+.TH "portmap_selinux" "8" "portmap" "dwalsh at redhat.com" "portmap SELinux Policy documentation"
+.SH "NAME"
+portmap_selinux \- Security Enhanced Linux Policy for the portmap processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the portmap processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the portmap processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. portmap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run portmap with the tightest access possible.
++The portmap processes execute with the portmap_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean.
++.B ps -eZ | grep portmap_t
+
-+.EX
-+.B setsebool -P samba_portmapper 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The portmap_t SELinux type can be entered via the "portmap_exec_t" file type. The default entrypoint paths for the portmap_t domain are the following:"
++
++/sbin/portmap, /usr/sbin/portmap
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the portmap_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible.
++.PP
++The following process types are defined for portmap:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B portmap_helper_t, portmap_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. portmap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run portmap with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the portmap_t, you must turn on the kerberos_enabled boolean.
++If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P samba_portmapper 1
+.EE
+
+.SH FILE CONTEXTS
@@ -58470,27 +63155,9 @@ index 0000000..fce3393
+.EE
+udp 111
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible.
-+.PP
-+The following process types are defined for portmap:
-+
-+.EX
-+.B portmap_helper_t, portmap_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type portmap_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type portmap_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B portmap_tmp_t
@@ -58502,6 +63169,22 @@ index 0000000..fce3393
+ /var/run/portmap\.upgrade-state
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the portmap_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the portmap_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -58531,19 +63214,46 @@ index 0000000..fce3393
\ No newline at end of file
diff --git a/man/man8/portreserve_selinux.8 b/man/man8/portreserve_selinux.8
new file mode 100644
-index 0000000..c802797
+index 0000000..5da9bf3
--- /dev/null
+++ b/man/man8/portreserve_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "portreserve_selinux" "8" "portreserve" "dwalsh at redhat.com" "portreserve SELinux Policy documentation"
+.SH "NAME"
+portreserve_selinux \- Security Enhanced Linux Policy for the portreserve processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the portreserve processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the portreserve processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The portreserve processes execute with the portreserve_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep portreserve_t
++
++
++.SH "ENTRYPOINTS"
++
++The portreserve_t SELinux type can be entered via the "portreserve_exec_t" file type. The default entrypoint paths for the portreserve_t domain are the following:"
++
++/usr/sbin/portreserve, /sbin/portreserve
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux portreserve policy is very flexible allowing users to setup their portreserve processes in as secure a method as possible.
++.PP
++The following process types are defined for portreserve:
++
++.EX
++.B portreserve_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -58599,27 +63309,9 @@ index 0000000..c802797
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux portreserve policy is very flexible allowing users to setup their portreserve processes in as secure a method as possible.
-+.PP
-+The following process types are defined for portreserve:
-+
-+.EX
-+.B portreserve_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type portreserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type portreserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B portreserve_var_run_t
@@ -58627,6 +63319,8 @@ index 0000000..c802797
+ /var/run/portreserve(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -58648,33 +63342,46 @@ index 0000000..c802797
+selinux(8), portreserve(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/postfix_bounce_selinux.8 b/man/man8/postfix_bounce_selinux.8
new file mode 100644
-index 0000000..5e484b7
+index 0000000..33465ac
--- /dev/null
+++ b/man/man8/postfix_bounce_selinux.8
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,147 @@
+.TH "postfix_bounce_selinux" "8" "postfix_bounce" "dwalsh at redhat.com" "postfix_bounce SELinux Policy documentation"
+.SH "NAME"
+postfix_bounce_selinux \- Security Enhanced Linux Policy for the postfix_bounce processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_bounce processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_bounce processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_bounce processes execute with the postfix_bounce_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_bounce_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_bounce_t
++
++
++.SH "ENTRYPOINTS"
+
++The postfix_bounce_t SELinux type can be entered via the "postfix_bounce_exec_t" file type. The default entrypoint paths for the postfix_bounce_t domain are the following:"
++
++/usr/libexec/postfix/bounce
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_bounce_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_bounce policy is very flexible allowing users to setup their postfix_bounce processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_bounce:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_bounce_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -58710,27 +63417,9 @@ index 0000000..5e484b7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_bounce policy is very flexible allowing users to setup their postfix_bounce processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_bounce:
-+
-+.EX
-+.B postfix_bounce_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_bounce_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_bounce_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -58768,6 +63457,22 @@ index 0000000..5e484b7
+ /var/spool/postfix/pid/.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_bounce_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_bounce_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -58787,35 +63492,50 @@ index 0000000..5e484b7
+
+.SH "SEE ALSO"
+selinux(8), postfix_bounce(8), semanage(8), restorecon(8), chcon(1)
++, postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/postfix_cleanup_selinux.8 b/man/man8/postfix_cleanup_selinux.8
new file mode 100644
-index 0000000..5e3e9ba
+index 0000000..5c8e900
--- /dev/null
+++ b/man/man8/postfix_cleanup_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,131 @@
+.TH "postfix_cleanup_selinux" "8" "postfix_cleanup" "dwalsh at redhat.com" "postfix_cleanup SELinux Policy documentation"
+.SH "NAME"
+postfix_cleanup_selinux \- Security Enhanced Linux Policy for the postfix_cleanup processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_cleanup processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_cleanup processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_cleanup processes execute with the postfix_cleanup_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_cleanup_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep postfix_cleanup_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The postfix_cleanup_t SELinux type can be entered via the "postfix_cleanup_exec_t" file type. The default entrypoint paths for the postfix_cleanup_t domain are the following:"
++
++/usr/libexec/postfix/cleanup
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_cleanup_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_cleanup policy is very flexible allowing users to setup their postfix_cleanup processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_cleanup:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_cleanup_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -58851,27 +63571,9 @@ index 0000000..5e3e9ba
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_cleanup policy is very flexible allowing users to setup their postfix_cleanup processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_cleanup:
-+
-+.EX
-+.B postfix_cleanup_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_cleanup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_cleanup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -58893,6 +63595,22 @@ index 0000000..5e3e9ba
+ /var/spool/postfix/pid/.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_cleanup_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_cleanup_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -58912,45 +63630,60 @@ index 0000000..5e3e9ba
+
+.SH "SEE ALSO"
+selinux(8), postfix_cleanup(8), semanage(8), restorecon(8), chcon(1)
++, postfix_bounce_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/postfix_local_selinux.8 b/man/man8/postfix_local_selinux.8
new file mode 100644
-index 0000000..794dd13
+index 0000000..6e85602
--- /dev/null
+++ b/man/man8/postfix_local_selinux.8
-@@ -0,0 +1,174 @@
+@@ -0,0 +1,193 @@
+.TH "postfix_local_selinux" "8" "postfix_local" "dwalsh at redhat.com" "postfix_local SELinux Policy documentation"
+.SH "NAME"
+postfix_local_selinux \- Security Enhanced Linux Policy for the postfix_local processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_local processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_local processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. postfix_local policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_local with the tightest access possible.
++The postfix_local processes execute with the postfix_local_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow postfix_local domain full write access to mail_spool directories, you must turn on the postfix_local_write_mail_spool boolean.
++.B ps -eZ | grep postfix_local_t
+
-+.EX
-+.B setsebool -P postfix_local_write_mail_spool 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The postfix_local_t SELinux type can be entered via the "postfix_local_exec_t" file type. The default entrypoint paths for the postfix_local_t domain are the following:"
++
++/usr/libexec/postfix/local
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_local policy is very flexible allowing users to setup their postfix_local processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_local:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B postfix_local_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. postfix_local policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_local with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_local_t, you must turn on the kerberos_enabled boolean.
++If you want to allow postfix_local domain full write access to mail_spool directories, you must turn on the postfix_local_write_mail_spool boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P postfix_local_write_mail_spool 1
+.EE
+
+.SH FILE CONTEXTS
@@ -58987,27 +63720,9 @@ index 0000000..794dd13
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_local policy is very flexible allowing users to setup their postfix_local processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_local:
-+
-+.EX
-+.B postfix_local_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_local_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_local_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -59026,6 +63741,10 @@ index 0000000..794dd13
+.br
+ /home/[^/]*/Maildir(/.*)?
+.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
+
+.br
+.B mail_spool_t
@@ -59068,6 +63787,26 @@ index 0000000..794dd13
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_local_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -59091,37 +63830,50 @@ index 0000000..794dd13
+
+.SH "SEE ALSO"
+selinux(8), postfix_local(8), semanage(8), restorecon(8), chcon(1)
-+, setsebool(8)
++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
\ No newline at end of file
diff --git a/man/man8/postfix_map_selinux.8 b/man/man8/postfix_map_selinux.8
new file mode 100644
-index 0000000..a82d394
+index 0000000..3ec768f
--- /dev/null
+++ b/man/man8/postfix_map_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,131 @@
+.TH "postfix_map_selinux" "8" "postfix_map" "dwalsh at redhat.com" "postfix_map SELinux Policy documentation"
+.SH "NAME"
+postfix_map_selinux \- Security Enhanced Linux Policy for the postfix_map processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_map processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_map processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_map processes execute with the postfix_map_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_map_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_map_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_map_t SELinux type can be entered via the "postfix_map_exec_t" file type. The default entrypoint paths for the postfix_map_t domain are the following:"
+
++/usr/sbin/postmap
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_map_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_map policy is very flexible allowing users to setup their postfix_map processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_map:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_map_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -59157,27 +63909,9 @@ index 0000000..a82d394
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_map policy is very flexible allowing users to setup their postfix_map processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_map:
-+
-+.EX
-+.B postfix_map_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_map_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_map_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mailman_data_t
@@ -59199,6 +63933,22 @@ index 0000000..a82d394
+.B postfix_map_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_map_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_map_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -59218,35 +63968,50 @@ index 0000000..a82d394
+
+.SH "SEE ALSO"
+selinux(8), postfix_map(8), semanage(8), restorecon(8), chcon(1)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/postfix_master_selinux.8 b/man/man8/postfix_master_selinux.8
new file mode 100644
-index 0000000..6cea98a
+index 0000000..d3cf0f7
--- /dev/null
+++ b/man/man8/postfix_master_selinux.8
-@@ -0,0 +1,169 @@
+@@ -0,0 +1,181 @@
+.TH "postfix_master_selinux" "8" "postfix_master" "dwalsh at redhat.com" "postfix_master SELinux Policy documentation"
+.SH "NAME"
+postfix_master_selinux \- Security Enhanced Linux Policy for the postfix_master processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_master processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_master processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_master processes execute with the postfix_master_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_master_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_master_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_master_t SELinux type can be entered via the "postfix_master_exec_t" file type. The default entrypoint paths for the postfix_master_t domain are the following:"
+
++/usr/sbin/postcat, /usr/sbin/postfix, /usr/libexec/postfix/master, /usr/sbin/postkick, /usr/sbin/postsuper, /usr/sbin/postalias, /usr/sbin/postlock, /usr/sbin/postlog
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_master_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_master policy is very flexible allowing users to setup their postfix_master processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_master:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_master_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -59278,27 +64043,9 @@ index 0000000..6cea98a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_master policy is very flexible allowing users to setup their postfix_master processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_master:
-+
-+.EX
-+.B postfix_master_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_master_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_master_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -59374,6 +64121,22 @@ index 0000000..6cea98a
+ /var/spool/postfix/pid/.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_master_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_master_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -59393,35 +64156,50 @@ index 0000000..6cea98a
+
+.SH "SEE ALSO"
+selinux(8), postfix_master(8), semanage(8), restorecon(8), chcon(1)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/postfix_pickup_selinux.8 b/man/man8/postfix_pickup_selinux.8
new file mode 100644
-index 0000000..31e1137
+index 0000000..72c8dae
--- /dev/null
+++ b/man/man8/postfix_pickup_selinux.8
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,125 @@
+.TH "postfix_pickup_selinux" "8" "postfix_pickup" "dwalsh at redhat.com" "postfix_pickup SELinux Policy documentation"
+.SH "NAME"
+postfix_pickup_selinux \- Security Enhanced Linux Policy for the postfix_pickup processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_pickup processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_pickup processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_pickup processes execute with the postfix_pickup_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_pickup_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_pickup_t
+
++
++.SH "ENTRYPOINTS"
++
++The postfix_pickup_t SELinux type can be entered via the "postfix_pickup_exec_t" file type. The default entrypoint paths for the postfix_pickup_t domain are the following:"
++
++/usr/libexec/postfix/pickup
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_pickup_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_pickup policy is very flexible allowing users to setup their postfix_pickup processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_pickup:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_pickup_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -59457,27 +64235,9 @@ index 0000000..31e1137
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_pickup policy is very flexible allowing users to setup their postfix_pickup processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_pickup:
-+
-+.EX
-+.B postfix_pickup_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_pickup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_pickup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -59493,6 +64253,22 @@ index 0000000..31e1137
+ /var/spool/postfix/pid/.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_pickup_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_pickup_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -59512,35 +64288,50 @@ index 0000000..31e1137
+
+.SH "SEE ALSO"
+selinux(8), postfix_pickup(8), semanage(8), restorecon(8), chcon(1)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/postfix_pipe_selinux.8 b/man/man8/postfix_pipe_selinux.8
new file mode 100644
-index 0000000..cf06af1
+index 0000000..178ff03
--- /dev/null
+++ b/man/man8/postfix_pipe_selinux.8
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,141 @@
+.TH "postfix_pipe_selinux" "8" "postfix_pipe" "dwalsh at redhat.com" "postfix_pipe SELinux Policy documentation"
+.SH "NAME"
+postfix_pipe_selinux \- Security Enhanced Linux Policy for the postfix_pipe processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_pipe processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_pipe processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_pipe processes execute with the postfix_pipe_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_pipe_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_pipe_t
++
++
++.SH "ENTRYPOINTS"
+
++The postfix_pipe_t SELinux type can be entered via the "postfix_pipe_exec_t" file type. The default entrypoint paths for the postfix_pipe_t domain are the following:"
++
++/usr/libexec/postfix/pipe
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_pipe_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_pipe policy is very flexible allowing users to setup their postfix_pipe processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_pipe:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_pipe_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -59576,27 +64367,9 @@ index 0000000..cf06af1
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_pipe policy is very flexible allowing users to setup their postfix_pipe processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_pipe:
-+
-+.EX
-+.B postfix_pipe_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_pipe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_pipe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -59628,6 +64401,22 @@ index 0000000..cf06af1
+ /var/spool/postfix/pid/.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_pipe_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_pipe_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -59647,35 +64436,50 @@ index 0000000..cf06af1
+
+.SH "SEE ALSO"
+selinux(8), postfix_pipe(8), semanage(8), restorecon(8), chcon(1)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/postfix_postdrop_selinux.8 b/man/man8/postfix_postdrop_selinux.8
new file mode 100644
-index 0000000..64944db
+index 0000000..a41a106
--- /dev/null
+++ b/man/man8/postfix_postdrop_selinux.8
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,135 @@
+.TH "postfix_postdrop_selinux" "8" "postfix_postdrop" "dwalsh at redhat.com" "postfix_postdrop SELinux Policy documentation"
+.SH "NAME"
+postfix_postdrop_selinux \- Security Enhanced Linux Policy for the postfix_postdrop processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_postdrop processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_postdrop processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_postdrop processes execute with the postfix_postdrop_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_postdrop_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_postdrop_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_postdrop_t SELinux type can be entered via the "postfix_postdrop_exec_t" file type. The default entrypoint paths for the postfix_postdrop_t domain are the following:"
+
++/usr/sbin/postdrop
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_postdrop_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_postdrop policy is very flexible allowing users to setup their postfix_postdrop processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_postdrop:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_postdrop_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -59703,27 +64507,9 @@ index 0000000..64944db
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_postdrop policy is very flexible allowing users to setup their postfix_postdrop processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_postdrop:
-+
-+.EX
-+.B postfix_postdrop_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_postdrop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_postdrop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -59757,6 +64543,22 @@ index 0000000..64944db
+ /var/spool/uucppublic(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_postdrop_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_postdrop_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -59776,35 +64578,50 @@ index 0000000..64944db
+
+.SH "SEE ALSO"
+selinux(8), postfix_postdrop(8), semanage(8), restorecon(8), chcon(1)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/postfix_postqueue_selinux.8 b/man/man8/postfix_postqueue_selinux.8
new file mode 100644
-index 0000000..55a7518
+index 0000000..af15d32
--- /dev/null
+++ b/man/man8/postfix_postqueue_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,117 @@
+.TH "postfix_postqueue_selinux" "8" "postfix_postqueue" "dwalsh at redhat.com" "postfix_postqueue SELinux Policy documentation"
+.SH "NAME"
+postfix_postqueue_selinux \- Security Enhanced Linux Policy for the postfix_postqueue processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_postqueue processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_postqueue processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_postqueue processes execute with the postfix_postqueue_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_postqueue_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_postqueue_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_postqueue_t SELinux type can be entered via the "postfix_postqueue_exec_t" file type. The default entrypoint paths for the postfix_postqueue_t domain are the following:"
+
++/usr/sbin/postqueue
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_postqueue_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_postqueue policy is very flexible allowing users to setup their postfix_postqueue processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_postqueue:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_postqueue_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -59832,27 +64649,9 @@ index 0000000..55a7518
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_postqueue policy is very flexible allowing users to setup their postfix_postqueue processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_postqueue:
-+
-+.EX
-+.B postfix_postqueue_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_postqueue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_postqueue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -59868,6 +64667,22 @@ index 0000000..55a7518
+ /var/spool/postfix/pid/.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_postqueue_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_postqueue_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -59887,35 +64702,50 @@ index 0000000..55a7518
+
+.SH "SEE ALSO"
+selinux(8), postfix_postqueue(8), semanage(8), restorecon(8), chcon(1)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/postfix_qmgr_selinux.8 b/man/man8/postfix_qmgr_selinux.8
new file mode 100644
-index 0000000..1fb9d00
+index 0000000..2857a23
--- /dev/null
+++ b/man/man8/postfix_qmgr_selinux.8
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,141 @@
+.TH "postfix_qmgr_selinux" "8" "postfix_qmgr" "dwalsh at redhat.com" "postfix_qmgr SELinux Policy documentation"
+.SH "NAME"
+postfix_qmgr_selinux \- Security Enhanced Linux Policy for the postfix_qmgr processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_qmgr processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_qmgr processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_qmgr processes execute with the postfix_qmgr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_qmgr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_qmgr_t
++
++
++.SH "ENTRYPOINTS"
+
++The postfix_qmgr_t SELinux type can be entered via the "postfix_qmgr_exec_t" file type. The default entrypoint paths for the postfix_qmgr_t domain are the following:"
++
++/usr/libexec/postfix/(n)?qmgr
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_qmgr_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_qmgr policy is very flexible allowing users to setup their postfix_qmgr processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_qmgr:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_qmgr_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -59951,27 +64781,9 @@ index 0000000..1fb9d00
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_qmgr policy is very flexible allowing users to setup their postfix_qmgr processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_qmgr:
-+
-+.EX
-+.B postfix_qmgr_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_qmgr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_qmgr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -60003,6 +64815,22 @@ index 0000000..1fb9d00
+ /var/spool/postfix/pid/.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_qmgr_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_qmgr_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -60022,35 +64850,50 @@ index 0000000..1fb9d00
+
+.SH "SEE ALSO"
+selinux(8), postfix_qmgr(8), semanage(8), restorecon(8), chcon(1)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/postfix_showq_selinux.8 b/man/man8/postfix_showq_selinux.8
new file mode 100644
-index 0000000..e879b70
+index 0000000..4449f79
--- /dev/null
+++ b/man/man8/postfix_showq_selinux.8
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,113 @@
+.TH "postfix_showq_selinux" "8" "postfix_showq" "dwalsh at redhat.com" "postfix_showq SELinux Policy documentation"
+.SH "NAME"
+postfix_showq_selinux \- Security Enhanced Linux Policy for the postfix_showq processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_showq processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_showq processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_showq processes execute with the postfix_showq_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_showq_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_showq_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_showq_t SELinux type can be entered via the "postfix_showq_exec_t" file type. The default entrypoint paths for the postfix_showq_t domain are the following:"
+
++/usr/libexec/postfix/showq
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_showq_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_showq policy is very flexible allowing users to setup their postfix_showq processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_showq:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_showq_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -60078,27 +64921,9 @@ index 0000000..e879b70
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_showq policy is very flexible allowing users to setup their postfix_showq processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_showq:
-+
-+.EX
-+.B postfix_showq_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_showq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_showq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -60110,6 +64935,22 @@ index 0000000..e879b70
+ /var/spool/postfix/pid/.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_showq_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_showq_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -60129,35 +64970,50 @@ index 0000000..e879b70
+
+.SH "SEE ALSO"
+selinux(8), postfix_showq(8), semanage(8), restorecon(8), chcon(1)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/postfix_smtp_selinux.8 b/man/man8/postfix_smtp_selinux.8
new file mode 100644
-index 0000000..e36e0d8
+index 0000000..d17ab20
--- /dev/null
+++ b/man/man8/postfix_smtp_selinux.8
-@@ -0,0 +1,156 @@
+@@ -0,0 +1,167 @@
+.TH "postfix_smtp_selinux" "8" "postfix_smtp" "dwalsh at redhat.com" "postfix_smtp SELinux Policy documentation"
+.SH "NAME"
+postfix_smtp_selinux \- Security Enhanced Linux Policy for the postfix_smtp processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_smtp processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_smtp processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_smtp processes execute with the postfix_smtp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_smtp_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_smtp_t SELinux type can be entered via the "postfix_smtp_exec_t" file type. The default entrypoint paths for the postfix_smtp_t domain are the following:"
+
++/usr/libexec/postfix/lmtp, /usr/libexec/postfix/smtp, /usr/libexec/postfix/scache
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_smtp policy is very flexible allowing users to setup their postfix_smtp processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_smtp:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_smtpd_t, postfix_smtp_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -60213,27 +65069,9 @@ index 0000000..e36e0d8
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_smtp policy is very flexible allowing users to setup their postfix_smtp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_smtp:
-+
-+.EX
-+.B postfix_smtpd_t, postfix_smtp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_smtp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_smtp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -60271,6 +65109,22 @@ index 0000000..e36e0d8
+ /var/spool/postfix/pid/.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -60290,37 +65144,50 @@ index 0000000..e36e0d8
+
+.SH "SEE ALSO"
+selinux(8), postfix_smtp(8), semanage(8), restorecon(8), chcon(1)
-+, postfix_smtpd_selinux(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8)
\ No newline at end of file
diff --git a/man/man8/postfix_smtpd_selinux.8 b/man/man8/postfix_smtpd_selinux.8
new file mode 100644
-index 0000000..a90a9a1
+index 0000000..d174664
--- /dev/null
+++ b/man/man8/postfix_smtpd_selinux.8
-@@ -0,0 +1,126 @@
+@@ -0,0 +1,137 @@
+.TH "postfix_smtpd_selinux" "8" "postfix_smtpd" "dwalsh at redhat.com" "postfix_smtpd SELinux Policy documentation"
+.SH "NAME"
+postfix_smtpd_selinux \- Security Enhanced Linux Policy for the postfix_smtpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_smtpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_smtpd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_smtpd processes execute with the postfix_smtpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_smtpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_smtpd_t SELinux type can be entered via the "postfix_smtpd_exec_t" file type. The default entrypoint paths for the postfix_smtpd_t domain are the following:"
+
++/usr/libexec/postfix/smtpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_smtpd policy is very flexible allowing users to setup their postfix_smtpd processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_smtpd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_smtpd_t, postfix_smtp_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -60356,27 +65223,9 @@ index 0000000..a90a9a1
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_smtpd policy is very flexible allowing users to setup their postfix_smtpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_smtpd:
-+
-+.EX
-+.B postfix_smtpd_t, postfix_smtp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_smtpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_smtpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -60404,6 +65253,22 @@ index 0000000..a90a9a1
+ /var/spool/postfix/pid/.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -60423,37 +65288,50 @@ index 0000000..a90a9a1
+
+.SH "SEE ALSO"
+selinux(8), postfix_smtpd(8), semanage(8), restorecon(8), chcon(1)
-+, postfix_smtp_selinux(8), postfix_smtp_selinux(8)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtp_selinux(8), postfix_virtual_selinux(8)
\ No newline at end of file
diff --git a/man/man8/postfix_virtual_selinux.8 b/man/man8/postfix_virtual_selinux.8
new file mode 100644
-index 0000000..8d86391
+index 0000000..2d8064c
--- /dev/null
+++ b/man/man8/postfix_virtual_selinux.8
-@@ -0,0 +1,147 @@
+@@ -0,0 +1,163 @@
+.TH "postfix_virtual_selinux" "8" "postfix_virtual" "dwalsh at redhat.com" "postfix_virtual SELinux Policy documentation"
+.SH "NAME"
+postfix_virtual_selinux \- Security Enhanced Linux Policy for the postfix_virtual processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postfix_virtual processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postfix_virtual processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postfix_virtual processes execute with the postfix_virtual_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_virtual_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep postfix_virtual_t
++
++
++.SH "ENTRYPOINTS"
++
++The postfix_virtual_t SELinux type can be entered via the "postfix_virtual_exec_t" file type. The default entrypoint paths for the postfix_virtual_t domain are the following:"
+
++/usr/libexec/postfix/virtual
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the postfix_virtual_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postfix_virtual policy is very flexible allowing users to setup their postfix_virtual processes in as secure a method as possible.
++.PP
++The following process types are defined for postfix_virtual:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B postfix_virtual_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -60489,27 +65367,9 @@ index 0000000..8d86391
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postfix_virtual policy is very flexible allowing users to setup their postfix_virtual processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postfix_virtual:
-+
-+.EX
-+.B postfix_virtual_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postfix_virtual_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postfix_virtual_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -60552,6 +65412,10 @@ index 0000000..8d86391
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
+
+.br
+.B user_home_type
@@ -60559,6 +65423,22 @@ index 0000000..8d86391
+ all user home files
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_virtual_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postfix_virtual_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -60578,19 +65458,50 @@ index 0000000..8d86391
+
+.SH "SEE ALSO"
+selinux(8), postfix_virtual(8), semanage(8), restorecon(8), chcon(1)
++, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/postgresql_selinux.8 b/man/man8/postgresql_selinux.8
new file mode 100644
-index 0000000..f698c7b
+index 0000000..325abad
--- /dev/null
+++ b/man/man8/postgresql_selinux.8
-@@ -0,0 +1,348 @@
+@@ -0,0 +1,359 @@
+.TH "postgresql_selinux" "8" "postgresql" "dwalsh at redhat.com" "postgresql SELinux Policy documentation"
+.SH "NAME"
+postgresql_selinux \- Security Enhanced Linux Policy for the postgresql processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postgresql processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postgresql processes via flexible mandatory access control.
++
++The postgresql processes execute with the postgresql_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postgresql_t
++
++
++.SH "ENTRYPOINTS"
++
++The postgresql_t SELinux type can be entered via the "postgresql_exec_t" file type. The default entrypoint paths for the postgresql_t domain are the following:"
++
++/usr/bin/(se)?postgres, /usr/lib/postgresql/bin/.*, /usr/lib/pgsql/test/regress/pg_regress, /usr/bin/initdb(\.sepgsql)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible.
++.PP
++The following process types are defined for postgresql:
++
++.EX
++.B postgresql_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. postgresql policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postgresql with the tightest access possible.
@@ -60618,10 +65529,10 @@ index 0000000..f698c7b
+.EE
+
+.PP
-+If you want to allow users to connect to PostgreSQL, you must turn on the user_postgresql_connect boolean.
++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean.
+
+.EX
-+.B setsebool -P user_postgresql_connect 1
++.B setsebool -P selinuxuser_postgresql_connect_enabled 1
+.EE
+
+.PP
@@ -60631,22 +65542,6 @@ index 0000000..f698c7b
+.B setsebool -P postgresql_selinux_transmit_client_label 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postgresql_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the postgresql_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -60768,27 +65663,9 @@ index 0000000..f698c7b
+Default Defined Ports:
+tcp 5432
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postgresql:
-+
-+.EX
-+.B postgresql_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postgresql_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postgresql_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -60906,6 +65783,22 @@ index 0000000..f698c7b
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postgresql_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the postgresql_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -60935,19 +65828,46 @@ index 0000000..f698c7b
\ No newline at end of file
diff --git a/man/man8/postgrey_selinux.8 b/man/man8/postgrey_selinux.8
new file mode 100644
-index 0000000..140fc9e
+index 0000000..e509848
--- /dev/null
+++ b/man/man8/postgrey_selinux.8
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,182 @@
+.TH "postgrey_selinux" "8" "postgrey" "dwalsh at redhat.com" "postgrey SELinux Policy documentation"
+.SH "NAME"
+postgrey_selinux \- Security Enhanced Linux Policy for the postgrey processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the postgrey processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the postgrey processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The postgrey processes execute with the postgrey_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep postgrey_t
++
++
++.SH "ENTRYPOINTS"
++
++The postgrey_t SELinux type can be entered via the "postgrey_exec_t" file type. The default entrypoint paths for the postgrey_t domain are the following:"
++
++/usr/sbin/postgrey
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible.
++.PP
++The following process types are defined for postgrey:
++
++.EX
++.B postgrey_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -61042,27 +65962,9 @@ index 0000000..140fc9e
+Default Defined Ports:
+tcp 60000
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible.
-+.PP
-+The following process types are defined for postgrey:
-+
-+.EX
-+.B postgrey_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type postgrey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type postgrey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B postfix_spool_type
@@ -61088,6 +65990,8 @@ index 0000000..140fc9e
+ /var/run/postgrey\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -61112,50 +66016,63 @@ index 0000000..140fc9e
+selinux(8), postgrey(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/pppd_selinux.8 b/man/man8/pppd_selinux.8
new file mode 100644
-index 0000000..12f2408
+index 0000000..a87427a
--- /dev/null
+++ b/man/man8/pppd_selinux.8
-@@ -0,0 +1,359 @@
+@@ -0,0 +1,370 @@
+.TH "pppd_selinux" "8" "pppd" "dwalsh at redhat.com" "pppd SELinux Policy documentation"
+.SH "NAME"
+pppd_selinux \- Security Enhanced Linux Policy for the pppd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pppd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pppd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. pppd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pppd with the tightest access possible.
++The pppd processes execute with the pppd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
++.B ps -eZ | grep pppd_t
+
-+.EX
-+.B setsebool -P pppd_for_user 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The pppd_t SELinux type can be entered via the "pppd_exec_t" file type. The default entrypoint paths for the pppd_t domain are the following:"
++
++/usr/sbin/pppd, /usr/sbin/ipppd, /usr/sbin/pppoe-server, /usr/sbin/ppp-watch, /sbin/pppoe-server, /sbin/ppp-watch
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pppd policy is very flexible allowing users to setup their pppd processes in as secure a method as possible.
++.PP
++The following process types are defined for pppd:
+
+.EX
-+.B setsebool -P pppd_can_insmod 1
++.B pppd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. pppd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pppd with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pppd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P pppd_for_user 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the pppd_t, you must turn on the kerberos_enabled boolean.
++If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P pppd_can_insmod 1
+.EE
+
+.SH FILE CONTEXTS
@@ -61280,27 +66197,9 @@ index 0000000..12f2408
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pppd policy is very flexible allowing users to setup their pppd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pppd:
-+
-+.EX
-+.B pppd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type pppd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type pppd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_runtime_t
@@ -61452,6 +66351,22 @@ index 0000000..12f2408
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pppd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pppd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -61478,33 +66393,46 @@ index 0000000..12f2408
\ No newline at end of file
diff --git a/man/man8/pptp_selinux.8 b/man/man8/pptp_selinux.8
new file mode 100644
-index 0000000..d3ad9b1
+index 0000000..85785a9
--- /dev/null
+++ b/man/man8/pptp_selinux.8
-@@ -0,0 +1,145 @@
+@@ -0,0 +1,156 @@
+.TH "pptp_selinux" "8" "pptp" "dwalsh at redhat.com" "pptp SELinux Policy documentation"
+.SH "NAME"
+pptp_selinux \- Security Enhanced Linux Policy for the pptp processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pptp processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pptp processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The pptp processes execute with the pptp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pptp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep pptp_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The pptp_t SELinux type can be entered via the "pptp_exec_t" file type. The default entrypoint paths for the pptp_t domain are the following:"
++
++/usr/sbin/pptp
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the pptp_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible.
++.PP
++The following process types are defined for pptp:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B pptp_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -61573,27 +66501,9 @@ index 0000000..d3ad9b1
+.EE
+udp 1723
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pptp:
-+
-+.EX
-+.B pptp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type pptp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type pptp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B pptp_log_t
@@ -61605,6 +66515,22 @@ index 0000000..d3ad9b1
+ /var/run/pptp(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pptp_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pptp_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -61629,33 +66555,46 @@ index 0000000..d3ad9b1
+selinux(8), pptp(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/prelink_cron_system_selinux.8 b/man/man8/prelink_cron_system_selinux.8
new file mode 100644
-index 0000000..272243a
+index 0000000..6d9d6e7
--- /dev/null
+++ b/man/man8/prelink_cron_system_selinux.8
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,127 @@
+.TH "prelink_cron_system_selinux" "8" "prelink_cron_system" "dwalsh at redhat.com" "prelink_cron_system SELinux Policy documentation"
+.SH "NAME"
+prelink_cron_system_selinux \- Security Enhanced Linux Policy for the prelink_cron_system processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the prelink_cron_system processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the prelink_cron_system processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The prelink_cron_system processes execute with the prelink_cron_system_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep prelink_cron_system_t
+
++
++.SH "ENTRYPOINTS"
++
++The prelink_cron_system_t SELinux type can be entered via the "prelink_cron_system_exec_t" file type. The default entrypoint paths for the prelink_cron_system_t domain are the following:"
++
++/etc/cron\.daily/prelink
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelink_cron_system policy is very flexible allowing users to setup their prelink_cron_system processes in as secure a method as possible.
++.PP
++The following process types are defined for prelink_cron_system:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B prelink_cron_system_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -61683,27 +66622,9 @@ index 0000000..272243a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelink_cron_system policy is very flexible allowing users to setup their prelink_cron_system processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelink_cron_system:
-+
-+.EX
-+.B prelink_cron_system_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type prelink_cron_system_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type prelink_cron_system_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B prelink_log_t
@@ -61729,6 +66650,22 @@ index 0000000..272243a
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -61748,37 +66685,50 @@ index 0000000..272243a
+
+.SH "SEE ALSO"
+selinux(8), prelink_cron_system(8), semanage(8), restorecon(8), chcon(1)
-+, prelink_selinux(8)
++, prelink_selinux(8), prelink_selinux(8)
\ No newline at end of file
diff --git a/man/man8/prelink_selinux.8 b/man/man8/prelink_selinux.8
new file mode 100644
-index 0000000..60be53f
+index 0000000..1bfd579
--- /dev/null
+++ b/man/man8/prelink_selinux.8
-@@ -0,0 +1,748 @@
+@@ -0,0 +1,763 @@
+.TH "prelink_selinux" "8" "prelink" "dwalsh at redhat.com" "prelink SELinux Policy documentation"
+.SH "NAME"
+prelink_selinux \- Security Enhanced Linux Policy for the prelink processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the prelink processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the prelink processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The prelink processes execute with the prelink_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep prelink_t
++
++
++.SH "ENTRYPOINTS"
++
++The prelink_t SELinux type can be entered via the "prelink_exec_t" file type. The default entrypoint paths for the prelink_t domain are the following:"
+
++/usr/sbin/prelink(\.bin)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelink policy is very flexible allowing users to setup their prelink processes in as secure a method as possible.
++.PP
++The following process types are defined for prelink:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B prelink_cron_system_t, prelink_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -61862,27 +66812,9 @@ index 0000000..60be53f
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelink policy is very flexible allowing users to setup their prelink processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelink:
-+
-+.EX
-+.B prelink_cron_system_t, prelink_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type prelink_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type prelink_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B exec_type
@@ -62439,6 +67371,10 @@ index 0000000..60be53f
+.br
+ /home/[^/]*/.*/plugins/nppdf\.so.*
+.br
++ /home/dwalsh/.*/plugins/nppdf\.so.*
++.br
++ /var/lib/xguest/home/xguest/.*/plugins/nppdf\.so.*
++.br
+
+.br
+.B user_home_type
@@ -62484,6 +67420,22 @@ index 0000000..60be53f
+ /srv
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -62507,19 +67459,46 @@ index 0000000..60be53f
\ No newline at end of file
diff --git a/man/man8/prelude_audisp_selinux.8 b/man/man8/prelude_audisp_selinux.8
new file mode 100644
-index 0000000..e0d6999
+index 0000000..3789085
--- /dev/null
+++ b/man/man8/prelude_audisp_selinux.8
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,109 @@
+.TH "prelude_audisp_selinux" "8" "prelude_audisp" "dwalsh at redhat.com" "prelude_audisp SELinux Policy documentation"
+.SH "NAME"
+prelude_audisp_selinux \- Security Enhanced Linux Policy for the prelude_audisp processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the prelude_audisp processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the prelude_audisp processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The prelude_audisp processes execute with the prelude_audisp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep prelude_audisp_t
++
++
++.SH "ENTRYPOINTS"
++
++The prelude_audisp_t SELinux type can be entered via the "prelude_audisp_exec_t" file type. The default entrypoint paths for the prelude_audisp_t domain are the following:"
++
++/sbin/audisp-prelude, /usr/sbin/audisp-prelude
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelude_audisp policy is very flexible allowing users to setup their prelude_audisp processes in as secure a method as possible.
++.PP
++The following process types are defined for prelude_audisp:
++
++.EX
++.B prelude_audisp_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -62559,27 +67538,9 @@ index 0000000..e0d6999
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelude_audisp policy is very flexible allowing users to setup their prelude_audisp processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelude_audisp:
-+
-+.EX
-+.B prelude_audisp_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type prelude_audisp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type prelude_audisp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B prelude_spool_t
@@ -62589,6 +67550,8 @@ index 0000000..e0d6999
+ /var/spool/prelude-manager(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -62608,23 +67571,50 @@ index 0000000..e0d6999
+
+.SH "SEE ALSO"
+selinux(8), prelude_audisp(8), semanage(8), restorecon(8), chcon(1)
-+, prelude_selinux(8)
++, prelude_selinux(8), prelude_selinux(8), prelude_correlator_selinux(8), prelude_lml_selinux(8)
\ No newline at end of file
diff --git a/man/man8/prelude_correlator_selinux.8 b/man/man8/prelude_correlator_selinux.8
new file mode 100644
-index 0000000..c1ee731
+index 0000000..a82e57e
--- /dev/null
+++ b/man/man8/prelude_correlator_selinux.8
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,105 @@
+.TH "prelude_correlator_selinux" "8" "prelude_correlator" "dwalsh at redhat.com" "prelude_correlator SELinux Policy documentation"
+.SH "NAME"
+prelude_correlator_selinux \- Security Enhanced Linux Policy for the prelude_correlator processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the prelude_correlator processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the prelude_correlator processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The prelude_correlator processes execute with the prelude_correlator_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep prelude_correlator_t
++
++
++.SH "ENTRYPOINTS"
++
++The prelude_correlator_t SELinux type can be entered via the "prelude_correlator_exec_t" file type. The default entrypoint paths for the prelude_correlator_t domain are the following:"
++
++/usr/bin/prelude-correlator
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelude_correlator policy is very flexible allowing users to setup their prelude_correlator processes in as secure a method as possible.
++.PP
++The following process types are defined for prelude_correlator:
++
++.EX
++.B prelude_correlator_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -62660,27 +67650,9 @@ index 0000000..c1ee731
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelude_correlator policy is very flexible allowing users to setup their prelude_correlator processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelude_correlator:
-+
-+.EX
-+.B prelude_correlator_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type prelude_correlator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type prelude_correlator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B prelude_spool_t
@@ -62690,6 +67662,8 @@ index 0000000..c1ee731
+ /var/spool/prelude-manager(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -62709,37 +67683,50 @@ index 0000000..c1ee731
+
+.SH "SEE ALSO"
+selinux(8), prelude_correlator(8), semanage(8), restorecon(8), chcon(1)
-+, prelude_selinux(8)
++, prelude_selinux(8), prelude_selinux(8), prelude_audisp_selinux(8), prelude_lml_selinux(8)
\ No newline at end of file
diff --git a/man/man8/prelude_lml_selinux.8 b/man/man8/prelude_lml_selinux.8
new file mode 100644
-index 0000000..0fc4389
+index 0000000..758ff1a
--- /dev/null
+++ b/man/man8/prelude_lml_selinux.8
-@@ -0,0 +1,136 @@
+@@ -0,0 +1,147 @@
+.TH "prelude_lml_selinux" "8" "prelude_lml" "dwalsh at redhat.com" "prelude_lml SELinux Policy documentation"
+.SH "NAME"
+prelude_lml_selinux \- Security Enhanced Linux Policy for the prelude_lml processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the prelude_lml processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the prelude_lml processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The prelude_lml processes execute with the prelude_lml_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelude_lml_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep prelude_lml_t
+
++
++.SH "ENTRYPOINTS"
++
++The prelude_lml_t SELinux type can be entered via the "prelude_lml_exec_t" file type. The default entrypoint paths for the prelude_lml_t domain are the following:"
++
++/usr/bin/prelude-lml
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the prelude_lml_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelude_lml policy is very flexible allowing users to setup their prelude_lml processes in as secure a method as possible.
++.PP
++The following process types are defined for prelude_lml:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B prelude_lml_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -62783,27 +67770,9 @@ index 0000000..0fc4389
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelude_lml policy is very flexible allowing users to setup their prelude_lml processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelude_lml:
-+
-+.EX
-+.B prelude_lml_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type prelude_lml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type prelude_lml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -62833,6 +67802,22 @@ index 0000000..0fc4389
+ /var/lib/prelude-lml(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelude_lml_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the prelude_lml_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -62852,37 +67837,50 @@ index 0000000..0fc4389
+
+.SH "SEE ALSO"
+selinux(8), prelude_lml(8), semanage(8), restorecon(8), chcon(1)
-+, prelude_selinux(8)
++, prelude_selinux(8), prelude_selinux(8), prelude_audisp_selinux(8), prelude_correlator_selinux(8)
\ No newline at end of file
diff --git a/man/man8/prelude_selinux.8 b/man/man8/prelude_selinux.8
new file mode 100644
-index 0000000..f563c49
+index 0000000..8862f76
--- /dev/null
+++ b/man/man8/prelude_selinux.8
-@@ -0,0 +1,258 @@
+@@ -0,0 +1,269 @@
+.TH "prelude_selinux" "8" "prelude" "dwalsh at redhat.com" "prelude SELinux Policy documentation"
+.SH "NAME"
+prelude_selinux \- Security Enhanced Linux Policy for the prelude processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the prelude processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the prelude processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The prelude processes execute with the prelude_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelude_lml_t, prelude_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep prelude_t
++
++
++.SH "ENTRYPOINTS"
++
++The prelude_t SELinux type can be entered via the "prelude_exec_t" file type. The default entrypoint paths for the prelude_t domain are the following:"
+
++/usr/bin/prelude-manager
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the prelude_lml_t, prelude_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible.
++.PP
++The following process types are defined for prelude:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B prelude_lml_t, prelude_t, prelude_audisp_t, prelude_correlator_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -63043,27 +68041,9 @@ index 0000000..f563c49
+.EE
+udp 4690
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible.
-+.PP
-+The following process types are defined for prelude:
-+
-+.EX
-+.B prelude_lml_t, prelude_t, prelude_audisp_t, prelude_correlator_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type prelude_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type prelude_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -63095,6 +68075,22 @@ index 0000000..f563c49
+ /var/run/prelude-manager(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelude_lml_t, prelude_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the prelude_lml_t, prelude_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -63121,43 +68117,56 @@ index 0000000..f563c49
\ No newline at end of file
diff --git a/man/man8/privoxy_selinux.8 b/man/man8/privoxy_selinux.8
new file mode 100644
-index 0000000..ea2f1ae
+index 0000000..7319740
--- /dev/null
+++ b/man/man8/privoxy_selinux.8
-@@ -0,0 +1,154 @@
+@@ -0,0 +1,165 @@
+.TH "privoxy_selinux" "8" "privoxy" "dwalsh at redhat.com" "privoxy SELinux Policy documentation"
+.SH "NAME"
+privoxy_selinux \- Security Enhanced Linux Policy for the privoxy processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the privoxy processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the privoxy processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. privoxy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run privoxy with the tightest access possible.
++The privoxy processes execute with the privoxy_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the privoxy_connect_any boolean.
++.B ps -eZ | grep privoxy_t
+
-+.EX
-+.B setsebool -P privoxy_connect_any 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The privoxy_t SELinux type can be entered via the "privoxy_exec_t" file type. The default entrypoint paths for the privoxy_t domain are the following:"
+
++/usr/sbin/privoxy
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the privoxy_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux privoxy policy is very flexible allowing users to setup their privoxy processes in as secure a method as possible.
++.PP
++The following process types are defined for privoxy:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B privoxy_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. privoxy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run privoxy with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the privoxy_t, you must turn on the kerberos_enabled boolean.
++If you want to allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the privoxy_connect_any boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P privoxy_connect_any 1
+.EE
+
+.SH FILE CONTEXTS
@@ -63218,27 +68227,9 @@ index 0000000..ea2f1ae
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux privoxy policy is very flexible allowing users to setup their privoxy processes in as secure a method as possible.
-+.PP
-+The following process types are defined for privoxy:
-+
-+.EX
-+.B privoxy_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type privoxy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type privoxy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B privoxy_etc_rw_t
@@ -63256,6 +68247,22 @@ index 0000000..ea2f1ae
+.B privoxy_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the privoxy_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the privoxy_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -63282,33 +68289,46 @@ index 0000000..ea2f1ae
\ No newline at end of file
diff --git a/man/man8/procmail_selinux.8 b/man/man8/procmail_selinux.8
new file mode 100644
-index 0000000..192912a
+index 0000000..a207489
--- /dev/null
+++ b/man/man8/procmail_selinux.8
-@@ -0,0 +1,159 @@
+@@ -0,0 +1,182 @@
+.TH "procmail_selinux" "8" "procmail" "dwalsh at redhat.com" "procmail SELinux Policy documentation"
+.SH "NAME"
+procmail_selinux \- Security Enhanced Linux Policy for the procmail processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the procmail processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the procmail processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The procmail processes execute with the procmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the procmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep procmail_t
+
++
++.SH "ENTRYPOINTS"
++
++The procmail_t SELinux type can be entered via the "procmail_exec_t" file type. The default entrypoint paths for the procmail_t domain are the following:"
++
++/usr/bin/procmail
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the procmail_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux procmail policy is very flexible allowing users to setup their procmail processes in as secure a method as possible.
++.PP
++The following process types are defined for procmail:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B procmail_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -63364,27 +68384,9 @@ index 0000000..192912a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux procmail policy is very flexible allowing users to setup their procmail processes in as secure a method as possible.
-+.PP
-+The following process types are defined for procmail:
-+
-+.EX
-+.B procmail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type procmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type procmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -63397,6 +68399,10 @@ index 0000000..192912a
+.br
+ /home/[^/]*/\.local/share(/.*)?
+.br
++ /home/dwalsh/\.local/share(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share(/.*)?
++.br
+
+.br
+.B mail_home_rw_t
@@ -63405,6 +68411,10 @@ index 0000000..192912a
+.br
+ /home/[^/]*/Maildir(/.*)?
+.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
+
+.br
+.B mail_spool_t
@@ -63425,6 +68435,26 @@ index 0000000..192912a
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the procmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the procmail_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -63447,33 +68477,46 @@ index 0000000..192912a
+selinux(8), procmail(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/psad_selinux.8 b/man/man8/psad_selinux.8
new file mode 100644
-index 0000000..0a13a35
+index 0000000..cf4b90b
--- /dev/null
+++ b/man/man8/psad_selinux.8
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,166 @@
+.TH "psad_selinux" "8" "psad" "dwalsh at redhat.com" "psad SELinux Policy documentation"
+.SH "NAME"
+psad_selinux \- Security Enhanced Linux Policy for the psad processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the psad processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the psad processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The psad processes execute with the psad_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the psad_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep psad_t
++
++
++.SH "ENTRYPOINTS"
+
++The psad_t SELinux type can be entered via the "psad_exec_t" file type. The default entrypoint paths for the psad_t domain are the following:"
++
++/usr/sbin/psad
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the psad_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux psad policy is very flexible allowing users to setup their psad processes in as secure a method as possible.
++.PP
++The following process types are defined for psad:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B psad_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -63549,27 +68592,9 @@ index 0000000..0a13a35
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux psad policy is very flexible allowing users to setup their psad processes in as secure a method as possible.
-+.PP
-+The following process types are defined for psad:
-+
-+.EX
-+.B psad_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type psad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type psad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B psad_tmp_t
@@ -63587,6 +68612,22 @@ index 0000000..0a13a35
+ /var/run/psad(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the psad_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the psad_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -63608,19 +68649,46 @@ index 0000000..0a13a35
+selinux(8), psad(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ptal_selinux.8 b/man/man8/ptal_selinux.8
new file mode 100644
-index 0000000..4abc155
+index 0000000..c61ee9e
--- /dev/null
+++ b/man/man8/ptal_selinux.8
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,146 @@
+.TH "ptal_selinux" "8" "ptal" "dwalsh at redhat.com" "ptal SELinux Policy documentation"
+.SH "NAME"
+ptal_selinux \- Security Enhanced Linux Policy for the ptal processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ptal processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ptal processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ptal processes execute with the ptal_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ptal_t
++
++
++.SH "ENTRYPOINTS"
++
++The ptal_t SELinux type can be entered via the "ptal_exec_t" file type. The default entrypoint paths for the ptal_t domain are the following:"
++
++/usr/sbin/ptal-photod, /usr/sbin/ptal-mlcd, /usr/sbin/ptal-printd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible.
++.PP
++The following process types are defined for ptal:
++
++.EX
++.B ptal_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -63695,27 +68763,9 @@ index 0000000..4abc155
+Default Defined Ports:
+tcp 5703
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ptal:
-+
-+.EX
-+.B ptal_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ptal_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ptal_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ptal_var_run_t
@@ -63725,6 +68775,8 @@ index 0000000..4abc155
+ /var/run/ptal-printd(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -63749,19 +68801,46 @@ index 0000000..4abc155
+selinux(8), ptal(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ptchown_selinux.8 b/man/man8/ptchown_selinux.8
new file mode 100644
-index 0000000..920c71b
+index 0000000..655cea8
--- /dev/null
+++ b/man/man8/ptchown_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,92 @@
+.TH "ptchown_selinux" "8" "ptchown" "dwalsh at redhat.com" "ptchown SELinux Policy documentation"
+.SH "NAME"
+ptchown_selinux \- Security Enhanced Linux Policy for the ptchown processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ptchown processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ptchown processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ptchown processes execute with the ptchown_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ptchown_t
++
++
++.SH "ENTRYPOINTS"
++
++The ptchown_t SELinux type can be entered via the "ptchown_exec_t" file type. The default entrypoint paths for the ptchown_t domain are the following:"
++
++/usr/libexec/pt_chown
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ptchown policy is very flexible allowing users to setup their ptchown processes in as secure a method as possible.
++.PP
++The following process types are defined for ptchown:
++
++.EX
++.B ptchown_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -63789,32 +68868,16 @@ index 0000000..920c71b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ptchown policy is very flexible allowing users to setup their ptchown processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ptchown:
-+
-+.EX
-+.B ptchown_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ptchown_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ptchown_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -63836,19 +68899,46 @@ index 0000000..920c71b
+selinux(8), ptchown(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/publicfile_selinux.8 b/man/man8/publicfile_selinux.8
new file mode 100644
-index 0000000..e8035f6
+index 0000000..ed8bd4e
--- /dev/null
+++ b/man/man8/publicfile_selinux.8
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,100 @@
+.TH "publicfile_selinux" "8" "publicfile" "dwalsh at redhat.com" "publicfile SELinux Policy documentation"
+.SH "NAME"
+publicfile_selinux \- Security Enhanced Linux Policy for the publicfile processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the publicfile processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the publicfile processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The publicfile processes execute with the publicfile_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep publicfile_t
++
++
++.SH "ENTRYPOINTS"
++
++The publicfile_t SELinux type can be entered via the "publicfile_exec_t" file type. The default entrypoint paths for the publicfile_t domain are the following:"
++
++/usr/bin/httpd, /usr/bin/ftpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux publicfile policy is very flexible allowing users to setup their publicfile processes in as secure a method as possible.
++.PP
++The following process types are defined for publicfile:
++
++.EX
++.B publicfile_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -63888,27 +68978,11 @@ index 0000000..e8035f6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux publicfile policy is very flexible allowing users to setup their publicfile processes in as secure a method as possible.
-+.PP
-+The following process types are defined for publicfile:
-+
-+.EX
-+.B publicfile_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type publicfile_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type publicfile_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -63931,33 +69005,46 @@ index 0000000..e8035f6
+selinux(8), publicfile(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/pulseaudio_selinux.8 b/man/man8/pulseaudio_selinux.8
new file mode 100644
-index 0000000..107a0f7
+index 0000000..6a703dd
--- /dev/null
+++ b/man/man8/pulseaudio_selinux.8
-@@ -0,0 +1,247 @@
+@@ -0,0 +1,302 @@
+.TH "pulseaudio_selinux" "8" "pulseaudio" "dwalsh at redhat.com" "pulseaudio SELinux Policy documentation"
+.SH "NAME"
+pulseaudio_selinux \- Security Enhanced Linux Policy for the pulseaudio processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pulseaudio processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pulseaudio processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The pulseaudio processes execute with the pulseaudio_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pulseaudio_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep pulseaudio_t
++
++
++.SH "ENTRYPOINTS"
+
++The pulseaudio_t SELinux type can be entered via the "pulseaudio_exec_t" file type. The default entrypoint paths for the pulseaudio_t domain are the following:"
++
++/usr/bin/pulseaudio
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the pulseaudio_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible.
++.PP
++The following process types are defined for pulseaudio:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B pulseaudio_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -64046,27 +69133,9 @@ index 0000000..107a0f7
+.EE
+udp 4713
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pulseaudio:
-+
-+.EX
-+.B pulseaudio_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type pulseaudio_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type pulseaudio_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -64089,6 +69158,26 @@ index 0000000..107a0f7
+.br
+ /home/[^/]*/\.grl-metadata-store
+.br
++ /home/dwalsh/\.orc(/.*)?
++.br
++ /home/dwalsh/\.gstreamer-.*
++.br
++ /home/dwalsh/\.grl-bookmarks
++.br
++ /home/dwalsh/\.grl-bookmarks
++.br
++ /home/dwalsh/\.grl-metadata-store
++.br
++ /var/lib/xguest/home/xguest/\.orc(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gstreamer-.*
++.br
++ /var/lib/xguest/home/xguest/\.grl-bookmarks
++.br
++ /var/lib/xguest/home/xguest/\.grl-bookmarks
++.br
++ /var/lib/xguest/home/xguest/\.grl-metadata-store
++.br
+
+.br
+.B pulseaudio_home_t
@@ -64105,6 +69194,18 @@ index 0000000..107a0f7
+.br
+ /home/[^/]*/\.pulse-cookie
+.br
++ /home/dwalsh/\.pulse(/.*)?
++.br
++ /home/dwalsh/\.esd_auth
++.br
++ /home/dwalsh/\.pulse-cookie
++.br
++ /var/lib/xguest/home/xguest/\.pulse(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.esd_auth
++.br
++ /var/lib/xguest/home/xguest/\.pulse-cookie
++.br
+
+.br
+.B pulseaudio_var_lib_t
@@ -64133,6 +69234,18 @@ index 0000000..107a0f7
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_tmp_type
@@ -64160,6 +69273,22 @@ index 0000000..107a0f7
+ /tmp/\.X0-lock
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pulseaudio_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pulseaudio_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -64184,50 +69313,63 @@ index 0000000..107a0f7
+selinux(8), pulseaudio(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/puppet_selinux.8 b/man/man8/puppet_selinux.8
new file mode 100644
-index 0000000..9d5cb4b
+index 0000000..9e0d61d
--- /dev/null
+++ b/man/man8/puppet_selinux.8
-@@ -0,0 +1,335 @@
+@@ -0,0 +1,346 @@
+.TH "puppet_selinux" "8" "puppet" "dwalsh at redhat.com" "puppet SELinux Policy documentation"
+.SH "NAME"
+puppet_selinux \- Security Enhanced Linux Policy for the puppet processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the puppet processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the puppet processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. puppet policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppet with the tightest access possible.
++The puppet processes execute with the puppet_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow Puppet client to manage all file types, you must turn on the puppet_manage_all_files boolean.
++.B ps -eZ | grep puppet_t
+
-+.EX
-+.B setsebool -P puppet_manage_all_files 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The puppet_t SELinux type can be entered via the "puppet_exec_t" file type. The default entrypoint paths for the puppet_t domain are the following:"
++
++/usr/sbin/puppetd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible.
++.PP
++The following process types are defined for puppet:
+
+.EX
-+.B setsebool -P puppetmaster_use_db 1
++.B puppet_t, puppetmaster_t, puppetca_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. puppet policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppet with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, puppet_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow Puppet client to manage all file types, you must turn on the puppet_manage_all_files boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P puppet_manage_all_files 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the puppetmaster_t, puppet_t, you must turn on the kerberos_enabled boolean.
++If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P puppetmaster_use_db 1
+.EE
+
+.SH FILE CONTEXTS
@@ -64359,27 +69501,9 @@ index 0000000..9d5cb4b
+Default Defined Ports:
+tcp 8140
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible.
-+.PP
-+The following process types are defined for puppet:
-+
-+.EX
-+.B puppet_t, puppetmaster_t, puppetca_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type puppet_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type puppet_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B boolean_type
@@ -64497,6 +69621,22 @@ index 0000000..9d5cb4b
+ /srv
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, puppet_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the puppetmaster_t, puppet_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -64526,19 +69666,46 @@ index 0000000..9d5cb4b
\ No newline at end of file
diff --git a/man/man8/puppetca_selinux.8 b/man/man8/puppetca_selinux.8
new file mode 100644
-index 0000000..7f68ef8
+index 0000000..3afc1cb
--- /dev/null
+++ b/man/man8/puppetca_selinux.8
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,101 @@
+.TH "puppetca_selinux" "8" "puppetca" "dwalsh at redhat.com" "puppetca SELinux Policy documentation"
+.SH "NAME"
+puppetca_selinux \- Security Enhanced Linux Policy for the puppetca processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the puppetca processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the puppetca processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The puppetca processes execute with the puppetca_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep puppetca_t
++
++
++.SH "ENTRYPOINTS"
++
++The puppetca_t SELinux type can be entered via the "puppetca_exec_t" file type. The default entrypoint paths for the puppetca_t domain are the following:"
++
++/usr/sbin/puppetca
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible.
++.PP
++The following process types are defined for puppetca:
++
++.EX
++.B puppetca_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -64566,27 +69733,9 @@ index 0000000..7f68ef8
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible.
-+.PP
-+The following process types are defined for puppetca:
-+
-+.EX
-+.B puppetca_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type puppetca_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type puppetca_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B puppet_var_lib_t
@@ -64600,6 +69749,8 @@ index 0000000..7f68ef8
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -64623,43 +69774,56 @@ index 0000000..7f68ef8
\ No newline at end of file
diff --git a/man/man8/puppetmaster_selinux.8 b/man/man8/puppetmaster_selinux.8
new file mode 100644
-index 0000000..c8b9148
+index 0000000..c737eb9
--- /dev/null
+++ b/man/man8/puppetmaster_selinux.8
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,161 @@
+.TH "puppetmaster_selinux" "8" "puppetmaster" "dwalsh at redhat.com" "puppetmaster SELinux Policy documentation"
+.SH "NAME"
+puppetmaster_selinux \- Security Enhanced Linux Policy for the puppetmaster processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the puppetmaster processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the puppetmaster processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. puppetmaster policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppetmaster with the tightest access possible.
++The puppetmaster processes execute with the puppetmaster_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
++.B ps -eZ | grep puppetmaster_t
+
-+.EX
-+.B setsebool -P puppetmaster_use_db 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The puppetmaster_t SELinux type can be entered via the "puppetmaster_exec_t" file type. The default entrypoint paths for the puppetmaster_t domain are the following:"
+
++/usr/sbin/puppetmasterd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible.
++.PP
++The following process types are defined for puppetmaster:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B puppetmaster_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. puppetmaster policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppetmaster with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the puppetmaster_t, you must turn on the kerberos_enabled boolean.
++If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P puppetmaster_use_db 1
+.EE
+
+.SH FILE CONTEXTS
@@ -64704,27 +69868,9 @@ index 0000000..c8b9148
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible.
-+.PP
-+The following process types are defined for puppetmaster:
-+
-+.EX
-+.B puppetmaster_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type puppetmaster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type puppetmaster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B puppet_log_t
@@ -64754,6 +69900,22 @@ index 0000000..c8b9148
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the puppetmaster_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -64780,33 +69942,46 @@ index 0000000..c8b9148
\ No newline at end of file
diff --git a/man/man8/pwauth_selinux.8 b/man/man8/pwauth_selinux.8
new file mode 100644
-index 0000000..8203ab6
+index 0000000..effdfc9
--- /dev/null
+++ b/man/man8/pwauth_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,116 @@
+.TH "pwauth_selinux" "8" "pwauth" "dwalsh at redhat.com" "pwauth SELinux Policy documentation"
+.SH "NAME"
+pwauth_selinux \- Security Enhanced Linux Policy for the pwauth processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pwauth processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pwauth processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The pwauth processes execute with the pwauth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pwauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep pwauth_t
++
++
++.SH "ENTRYPOINTS"
++
++The pwauth_t SELinux type can be entered via the "pwauth_exec_t" file type. The default entrypoint paths for the pwauth_t domain are the following:"
+
++/usr/bin/pwauth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the pwauth_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pwauth policy is very flexible allowing users to setup their pwauth processes in as secure a method as possible.
++.PP
++The following process types are defined for pwauth:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B pwauth_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -64842,27 +70017,9 @@ index 0000000..8203ab6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pwauth policy is very flexible allowing users to setup their pwauth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pwauth:
-+
-+.EX
-+.B pwauth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type pwauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type pwauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B pwauth_var_run_t
@@ -64870,6 +70027,22 @@ index 0000000..8203ab6
+ /var/run/pwauth.lock
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pwauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pwauth_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -64891,33 +70064,46 @@ index 0000000..8203ab6
+selinux(8), pwauth(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/pyicqt_selinux.8 b/man/man8/pyicqt_selinux.8
new file mode 100644
-index 0000000..bb7f404
+index 0000000..75eab47
--- /dev/null
+++ b/man/man8/pyicqt_selinux.8
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,144 @@
+.TH "pyicqt_selinux" "8" "pyicqt" "dwalsh at redhat.com" "pyicqt SELinux Policy documentation"
+.SH "NAME"
+pyicqt_selinux \- Security Enhanced Linux Policy for the pyicqt processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the pyicqt processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the pyicqt processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The pyicqt processes execute with the pyicqt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pyicqt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep pyicqt_t
++
++
++.SH "ENTRYPOINTS"
+
++The pyicqt_t SELinux type can be entered via the "pyicqt_exec_t" file type. The default entrypoint paths for the pyicqt_t domain are the following:"
++
++/usr/share/pyicq-t/PyICQt\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the pyicqt_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux pyicqt policy is very flexible allowing users to setup their pyicqt processes in as secure a method as possible.
++.PP
++The following process types are defined for pyicqt:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B pyicqt_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -64969,27 +70155,9 @@ index 0000000..bb7f404
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux pyicqt policy is very flexible allowing users to setup their pyicqt processes in as secure a method as possible.
-+.PP
-+The following process types are defined for pyicqt:
-+
-+.EX
-+.B pyicqt_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type pyicqt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type pyicqt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B pyicqt_log_t
@@ -65009,6 +70177,22 @@ index 0000000..bb7f404
+ /var/spool/pyicq-t(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pyicqt_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the pyicqt_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -65030,33 +70214,46 @@ index 0000000..bb7f404
+selinux(8), pyicqt(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/qdiskd_selinux.8 b/man/man8/qdiskd_selinux.8
new file mode 100644
-index 0000000..05ed9d6
+index 0000000..5c2395e
--- /dev/null
+++ b/man/man8/qdiskd_selinux.8
-@@ -0,0 +1,151 @@
+@@ -0,0 +1,162 @@
+.TH "qdiskd_selinux" "8" "qdiskd" "dwalsh at redhat.com" "qdiskd SELinux Policy documentation"
+.SH "NAME"
+qdiskd_selinux \- Security Enhanced Linux Policy for the qdiskd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qdiskd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qdiskd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qdiskd processes execute with the qdiskd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qdiskd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep qdiskd_t
++
++
++.SH "ENTRYPOINTS"
++
++The qdiskd_t SELinux type can be entered via the "qdiskd_exec_t" file type. The default entrypoint paths for the qdiskd_t domain are the following:"
+
++/usr/sbin/qdiskd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the qdiskd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qdiskd policy is very flexible allowing users to setup their qdiskd processes in as secure a method as possible.
++.PP
++The following process types are defined for qdiskd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B qdiskd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -65116,27 +70313,9 @@ index 0000000..05ed9d6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qdiskd policy is very flexible allowing users to setup their qdiskd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qdiskd:
-+
-+.EX
-+.B qdiskd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qdiskd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qdiskd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cluster_var_lib_t
@@ -65166,6 +70345,22 @@ index 0000000..05ed9d6
+ /var/run/qdiskd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qdiskd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the qdiskd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -65187,19 +70382,46 @@ index 0000000..05ed9d6
+selinux(8), qdiskd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/qemu_dm_selinux.8 b/man/man8/qemu_dm_selinux.8
new file mode 100644
-index 0000000..865dcdd
+index 0000000..eeaeffe
--- /dev/null
+++ b/man/man8/qemu_dm_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,92 @@
+.TH "qemu_dm_selinux" "8" "qemu_dm" "dwalsh at redhat.com" "qemu_dm SELinux Policy documentation"
+.SH "NAME"
+qemu_dm_selinux \- Security Enhanced Linux Policy for the qemu_dm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qemu_dm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qemu_dm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qemu_dm processes execute with the qemu_dm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qemu_dm_t
++
++
++.SH "ENTRYPOINTS"
++
++The qemu_dm_t SELinux type can be entered via the "qemu_dm_exec_t" file type. The default entrypoint paths for the qemu_dm_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qemu_dm policy is very flexible allowing users to setup their qemu_dm processes in as secure a method as possible.
++.PP
++The following process types are defined for qemu_dm:
++
++.EX
++.B qemu_dm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -65227,32 +70449,16 @@ index 0000000..865dcdd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qemu_dm policy is very flexible allowing users to setup their qemu_dm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qemu_dm:
-+
-+.EX
-+.B qemu_dm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qemu_dm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qemu_dm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B xenfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -65274,19 +70480,46 @@ index 0000000..865dcdd
+selinux(8), qemu_dm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/qmail_clean_selinux.8 b/man/man8/qmail_clean_selinux.8
new file mode 100644
-index 0000000..65cf30c
+index 0000000..1d9534f
--- /dev/null
+++ b/man/man8/qmail_clean_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,89 @@
+.TH "qmail_clean_selinux" "8" "qmail_clean" "dwalsh at redhat.com" "qmail_clean SELinux Policy documentation"
+.SH "NAME"
+qmail_clean_selinux \- Security Enhanced Linux Policy for the qmail_clean processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_clean processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_clean processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qmail_clean processes execute with the qmail_clean_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_clean_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_clean_t SELinux type can be entered via the "qmail_clean_exec_t" file type. The default entrypoint paths for the qmail_clean_t domain are the following:"
++
++/var/qmail/bin/qmail-clean
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_clean policy is very flexible allowing users to setup their qmail_clean processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_clean:
++
++.EX
++.B qmail_clean_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -65314,27 +70547,11 @@ index 0000000..65cf30c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_clean policy is very flexible allowing users to setup their qmail_clean processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_clean:
-+
-+.EX
-+.B qmail_clean_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_clean_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_clean_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -65355,21 +70572,50 @@ index 0000000..65cf30c
+
+.SH "SEE ALSO"
+selinux(8), qmail_clean(8), semanage(8), restorecon(8), chcon(1)
++, qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qmail_inject_selinux.8 b/man/man8/qmail_inject_selinux.8
new file mode 100644
-index 0000000..f44d42a
+index 0000000..451667c
--- /dev/null
+++ b/man/man8/qmail_inject_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,93 @@
+.TH "qmail_inject_selinux" "8" "qmail_inject" "dwalsh at redhat.com" "qmail_inject SELinux Policy documentation"
+.SH "NAME"
+qmail_inject_selinux \- Security Enhanced Linux Policy for the qmail_inject processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_inject processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_inject processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qmail_inject processes execute with the qmail_inject_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_inject_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_inject_t SELinux type can be entered via the "qmail_inject_exec_t" file type. The default entrypoint paths for the qmail_inject_t domain are the following:"
++
++/var/qmail/bin/qmail-inject
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_inject policy is very flexible allowing users to setup their qmail_inject processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_inject:
++
++.EX
++.B qmail_inject_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -65397,32 +70643,16 @@ index 0000000..f44d42a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_inject policy is very flexible allowing users to setup their qmail_inject processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_inject:
-+
-+.EX
-+.B qmail_inject_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_inject_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_inject_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B arpwatch_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -65442,35 +70672,50 @@ index 0000000..f44d42a
+
+.SH "SEE ALSO"
+selinux(8), qmail_inject(8), semanage(8), restorecon(8), chcon(1)
++, qmail_clean_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qmail_local_selinux.8 b/man/man8/qmail_local_selinux.8
new file mode 100644
-index 0000000..b5e3a22
+index 0000000..40b484e
--- /dev/null
+++ b/man/man8/qmail_local_selinux.8
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,149 @@
+.TH "qmail_local_selinux" "8" "qmail_local" "dwalsh at redhat.com" "qmail_local SELinux Policy documentation"
+.SH "NAME"
+qmail_local_selinux \- Security Enhanced Linux Policy for the qmail_local processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_local processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_local processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qmail_local processes execute with the qmail_local_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qmail_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep qmail_local_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The qmail_local_t SELinux type can be entered via the "qmail_local_exec_t" file type. The default entrypoint paths for the qmail_local_t domain are the following:"
++
++/var/qmail/bin/qmail-local
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the qmail_local_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_local policy is very flexible allowing users to setup their qmail_local processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_local:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B qmail_local_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -65498,27 +70743,9 @@ index 0000000..b5e3a22
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_local policy is very flexible allowing users to setup their qmail_local processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_local:
-+
-+.EX
-+.B qmail_local_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_local_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_local_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dovecot_spool_t
@@ -65533,6 +70760,10 @@ index 0000000..b5e3a22
+.br
+ /home/[^/]*/Maildir(/.*)?
+.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
+
+.br
+.B mail_spool_t
@@ -65557,6 +70788,26 @@ index 0000000..b5e3a22
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qmail_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the qmail_local_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -65577,21 +70828,50 @@ index 0000000..b5e3a22
+
+.SH "SEE ALSO"
+selinux(8), qmail_local(8), semanage(8), restorecon(8), chcon(1)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qmail_lspawn_selinux.8 b/man/man8/qmail_lspawn_selinux.8
new file mode 100644
-index 0000000..38201ca
+index 0000000..1a0b72f
--- /dev/null
+++ b/man/man8/qmail_lspawn_selinux.8
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,117 @@
+.TH "qmail_lspawn_selinux" "8" "qmail_lspawn" "dwalsh at redhat.com" "qmail_lspawn SELinux Policy documentation"
+.SH "NAME"
+qmail_lspawn_selinux \- Security Enhanced Linux Policy for the qmail_lspawn processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_lspawn processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_lspawn processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qmail_lspawn processes execute with the qmail_lspawn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_lspawn_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_lspawn_t SELinux type can be entered via the "qmail_lspawn_exec_t" file type. The default entrypoint paths for the qmail_lspawn_t domain are the following:"
++
++/var/qmail/bin/qmail-lspawn
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_lspawn policy is very flexible allowing users to setup their qmail_lspawn processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_lspawn:
++
++.EX
++.B qmail_lspawn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -65619,27 +70899,9 @@ index 0000000..38201ca
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_lspawn policy is very flexible allowing users to setup their qmail_lspawn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_lspawn:
-+
-+.EX
-+.B qmail_lspawn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_lspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_lspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dovecot_spool_t
@@ -65654,12 +70916,22 @@ index 0000000..38201ca
+.br
+ /home/[^/]*/Maildir(/.*)?
+.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
+
+.br
+.B user_home_t
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -65680,21 +70952,50 @@ index 0000000..38201ca
+
+.SH "SEE ALSO"
+selinux(8), qmail_lspawn(8), semanage(8), restorecon(8), chcon(1)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qmail_queue_selinux.8 b/man/man8/qmail_queue_selinux.8
new file mode 100644
-index 0000000..8505d8d
+index 0000000..fd09b1f
--- /dev/null
+++ b/man/man8/qmail_queue_selinux.8
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,99 @@
+.TH "qmail_queue_selinux" "8" "qmail_queue" "dwalsh at redhat.com" "qmail_queue SELinux Policy documentation"
+.SH "NAME"
+qmail_queue_selinux \- Security Enhanced Linux Policy for the qmail_queue processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_queue processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_queue processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qmail_queue processes execute with the qmail_queue_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_queue_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_queue_t SELinux type can be entered via the "qmail_queue_exec_t" file type. The default entrypoint paths for the qmail_queue_t domain are the following:"
++
++/var/qmail/bin/qmail-queue
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_queue policy is very flexible allowing users to setup their qmail_queue processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_queue:
++
++.EX
++.B qmail_queue_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -65722,27 +71023,9 @@ index 0000000..8505d8d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_queue policy is very flexible allowing users to setup their qmail_queue processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_queue:
-+
-+.EX
-+.B qmail_queue_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B arpwatch_tmp_t
@@ -65754,6 +71037,8 @@ index 0000000..8505d8d
+ /var/qmail/queue(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -65773,21 +71058,50 @@ index 0000000..8505d8d
+
+.SH "SEE ALSO"
+selinux(8), qmail_queue(8), semanage(8), restorecon(8), chcon(1)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qmail_remote_selinux.8 b/man/man8/qmail_remote_selinux.8
new file mode 100644
-index 0000000..a2e0add
+index 0000000..29a10d9
--- /dev/null
+++ b/man/man8/qmail_remote_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,95 @@
+.TH "qmail_remote_selinux" "8" "qmail_remote" "dwalsh at redhat.com" "qmail_remote SELinux Policy documentation"
+.SH "NAME"
+qmail_remote_selinux \- Security Enhanced Linux Policy for the qmail_remote processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_remote processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_remote processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qmail_remote processes execute with the qmail_remote_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_remote_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_remote_t SELinux type can be entered via the "qmail_remote_exec_t" file type. The default entrypoint paths for the qmail_remote_t domain are the following:"
++
++/var/qmail/bin/qmail-remote
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_remote policy is very flexible allowing users to setup their qmail_remote processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_remote:
++
++.EX
++.B qmail_remote_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -65815,27 +71129,9 @@ index 0000000..a2e0add
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_remote policy is very flexible allowing users to setup their qmail_remote processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_remote:
-+
-+.EX
-+.B qmail_remote_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B qmail_spool_t
@@ -65843,6 +71139,8 @@ index 0000000..a2e0add
+ /var/qmail/queue(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -65862,21 +71160,50 @@ index 0000000..a2e0add
+
+.SH "SEE ALSO"
+selinux(8), qmail_remote(8), semanage(8), restorecon(8), chcon(1)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qmail_rspawn_selinux.8 b/man/man8/qmail_rspawn_selinux.8
new file mode 100644
-index 0000000..6eebbf4
+index 0000000..3b683c6
--- /dev/null
+++ b/man/man8/qmail_rspawn_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,95 @@
+.TH "qmail_rspawn_selinux" "8" "qmail_rspawn" "dwalsh at redhat.com" "qmail_rspawn SELinux Policy documentation"
+.SH "NAME"
+qmail_rspawn_selinux \- Security Enhanced Linux Policy for the qmail_rspawn processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_rspawn processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_rspawn processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qmail_rspawn processes execute with the qmail_rspawn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_rspawn_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_rspawn_t SELinux type can be entered via the "qmail_rspawn_exec_t" file type. The default entrypoint paths for the qmail_rspawn_t domain are the following:"
++
++/var/qmail/bin/qmail-rspawn
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_rspawn policy is very flexible allowing users to setup their qmail_rspawn processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_rspawn:
++
++.EX
++.B qmail_rspawn_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -65904,27 +71231,9 @@ index 0000000..6eebbf4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_rspawn policy is very flexible allowing users to setup their qmail_rspawn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_rspawn:
-+
-+.EX
-+.B qmail_rspawn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_rspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_rspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B qmail_spool_t
@@ -65932,6 +71241,8 @@ index 0000000..6eebbf4
+ /var/qmail/queue(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -65951,21 +71262,50 @@ index 0000000..6eebbf4
+
+.SH "SEE ALSO"
+selinux(8), qmail_rspawn(8), semanage(8), restorecon(8), chcon(1)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qmail_send_selinux.8 b/man/man8/qmail_send_selinux.8
new file mode 100644
-index 0000000..04619a2
+index 0000000..551a490
--- /dev/null
+++ b/man/man8/qmail_send_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,95 @@
+.TH "qmail_send_selinux" "8" "qmail_send" "dwalsh at redhat.com" "qmail_send SELinux Policy documentation"
+.SH "NAME"
+qmail_send_selinux \- Security Enhanced Linux Policy for the qmail_send processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_send processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_send processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qmail_send processes execute with the qmail_send_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_send_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_send_t SELinux type can be entered via the "qmail_send_exec_t" file type. The default entrypoint paths for the qmail_send_t domain are the following:"
++
++/var/qmail/bin/qmail-send
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_send policy is very flexible allowing users to setup their qmail_send processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_send:
++
++.EX
++.B qmail_send_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -65993,27 +71333,9 @@ index 0000000..04619a2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_send policy is very flexible allowing users to setup their qmail_send processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_send:
-+
-+.EX
-+.B qmail_send_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_send_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_send_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B qmail_spool_t
@@ -66021,6 +71343,8 @@ index 0000000..04619a2
+ /var/qmail/queue(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -66040,23 +71364,52 @@ index 0000000..04619a2
+
+.SH "SEE ALSO"
+selinux(8), qmail_send(8), semanage(8), restorecon(8), chcon(1)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qmail_smtpd_selinux.8 b/man/man8/qmail_smtpd_selinux.8
new file mode 100644
-index 0000000..b8a059b
+index 0000000..db8a1a5
--- /dev/null
+++ b/man/man8/qmail_smtpd_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,89 @@
+.TH "qmail_smtpd_selinux" "8" "qmail_smtpd" "dwalsh at redhat.com" "qmail_smtpd SELinux Policy documentation"
+.SH "NAME"
+qmail_smtpd_selinux \- Security Enhanced Linux Policy for the qmail_smtpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_smtpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_smtpd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qmail_smtpd processes execute with the qmail_smtpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.SH FILE CONTEXTS
++For example:
++
++.B ps -eZ | grep qmail_smtpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_smtpd_t SELinux type can be entered via the "qmail_smtpd_exec_t" file type. The default entrypoint paths for the qmail_smtpd_t domain are the following:"
++
++/var/qmail/bin/qmail-smtpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_smtpd policy is very flexible allowing users to setup their qmail_smtpd processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_smtpd:
++
++.EX
++.B qmail_smtpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
@@ -66082,27 +71435,11 @@ index 0000000..b8a059b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_smtpd policy is very flexible allowing users to setup their qmail_smtpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_smtpd:
-+
-+.EX
-+.B qmail_smtpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_smtpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_smtpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -66123,21 +71460,50 @@ index 0000000..b8a059b
+
+.SH "SEE ALSO"
+selinux(8), qmail_smtpd(8), semanage(8), restorecon(8), chcon(1)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qmail_splogger_selinux.8 b/man/man8/qmail_splogger_selinux.8
new file mode 100644
-index 0000000..f09a7fe
+index 0000000..ab8aa05
--- /dev/null
+++ b/man/man8/qmail_splogger_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,89 @@
+.TH "qmail_splogger_selinux" "8" "qmail_splogger" "dwalsh at redhat.com" "qmail_splogger SELinux Policy documentation"
+.SH "NAME"
+qmail_splogger_selinux \- Security Enhanced Linux Policy for the qmail_splogger processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_splogger processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_splogger processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qmail_splogger processes execute with the qmail_splogger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_splogger_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_splogger_t SELinux type can be entered via the "qmail_splogger_exec_t" file type. The default entrypoint paths for the qmail_splogger_t domain are the following:"
++
++/var/qmail/bin/splogger
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_splogger policy is very flexible allowing users to setup their qmail_splogger processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_splogger:
++
++.EX
++.B qmail_splogger_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -66165,27 +71531,11 @@ index 0000000..f09a7fe
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_splogger policy is very flexible allowing users to setup their qmail_splogger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_splogger:
-+
-+.EX
-+.B qmail_splogger_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_splogger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_splogger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -66206,21 +71556,50 @@ index 0000000..f09a7fe
+
+.SH "SEE ALSO"
+selinux(8), qmail_splogger(8), semanage(8), restorecon(8), chcon(1)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qmail_start_selinux.8 b/man/man8/qmail_start_selinux.8
new file mode 100644
-index 0000000..c1062e6
+index 0000000..7bf27c9
--- /dev/null
+++ b/man/man8/qmail_start_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,89 @@
+.TH "qmail_start_selinux" "8" "qmail_start" "dwalsh at redhat.com" "qmail_start SELinux Policy documentation"
+.SH "NAME"
+qmail_start_selinux \- Security Enhanced Linux Policy for the qmail_start processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_start processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_start processes via flexible mandatory access control.
++
++The qmail_start processes execute with the qmail_start_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_start_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The qmail_start_t SELinux type can be entered via the "qmail_start_exec_t" file type. The default entrypoint paths for the qmail_start_t domain are the following:"
++
++/var/qmail/bin/qmail-start
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_start policy is very flexible allowing users to setup their qmail_start processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_start:
++
++.EX
++.B qmail_start_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -66248,27 +71627,11 @@ index 0000000..c1062e6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_start policy is very flexible allowing users to setup their qmail_start processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_start:
-+
-+.EX
-+.B qmail_start_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_start_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_start_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -66289,21 +71652,50 @@ index 0000000..c1062e6
+
+.SH "SEE ALSO"
+selinux(8), qmail_start(8), semanage(8), restorecon(8), chcon(1)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_tcp_env_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qmail_tcp_env_selinux.8 b/man/man8/qmail_tcp_env_selinux.8
new file mode 100644
-index 0000000..b8c348b
+index 0000000..5ec1b48
--- /dev/null
+++ b/man/man8/qmail_tcp_env_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,89 @@
+.TH "qmail_tcp_env_selinux" "8" "qmail_tcp_env" "dwalsh at redhat.com" "qmail_tcp_env SELinux Policy documentation"
+.SH "NAME"
+qmail_tcp_env_selinux \- Security Enhanced Linux Policy for the qmail_tcp_env processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qmail_tcp_env processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qmail_tcp_env processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qmail_tcp_env processes execute with the qmail_tcp_env_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qmail_tcp_env_t
++
++
++.SH "ENTRYPOINTS"
++
++The qmail_tcp_env_t SELinux type can be entered via the "qmail_tcp_env_exec_t" file type. The default entrypoint paths for the qmail_tcp_env_t domain are the following:"
++
++/var/qmail/bin/tcp-env
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qmail_tcp_env policy is very flexible allowing users to setup their qmail_tcp_env processes in as secure a method as possible.
++.PP
++The following process types are defined for qmail_tcp_env:
++
++.EX
++.B qmail_tcp_env_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -66331,27 +71723,11 @@ index 0000000..b8c348b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qmail_tcp_env policy is very flexible allowing users to setup their qmail_tcp_env processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qmail_tcp_env:
-+
-+.EX
-+.B qmail_tcp_env_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qmail_tcp_env_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qmail_tcp_env_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -66372,21 +71748,50 @@ index 0000000..b8c348b
+
+.SH "SEE ALSO"
+selinux(8), qmail_tcp_env(8), semanage(8), restorecon(8), chcon(1)
++, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/qpidd_selinux.8 b/man/man8/qpidd_selinux.8
new file mode 100644
-index 0000000..d0c9485
+index 0000000..2ca4ff0
--- /dev/null
+++ b/man/man8/qpidd_selinux.8
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,142 @@
+.TH "qpidd_selinux" "8" "qpidd" "dwalsh at redhat.com" "qpidd SELinux Policy documentation"
+.SH "NAME"
+qpidd_selinux \- Security Enhanced Linux Policy for the qpidd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the qpidd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the qpidd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The qpidd processes execute with the qpidd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep qpidd_t
++
++
++.SH "ENTRYPOINTS"
++
++The qpidd_t SELinux type can be entered via the "qpidd_exec_t" file type. The default entrypoint paths for the qpidd_t domain are the following:"
++
++/usr/sbin/qpidd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux qpidd policy is very flexible allowing users to setup their qpidd processes in as secure a method as possible.
++.PP
++The following process types are defined for qpidd:
++
++.EX
++.B qpidd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -66450,27 +71855,9 @@ index 0000000..d0c9485
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux qpidd policy is very flexible allowing users to setup their qpidd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for qpidd:
-+
-+.EX
-+.B qpidd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type qpidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type qpidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B qpidd_tmpfs_t
@@ -66490,6 +71877,8 @@ index 0000000..d0c9485
+ /var/run/qpidd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -66511,33 +71900,46 @@ index 0000000..d0c9485
+selinux(8), qpidd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/quantum_selinux.8 b/man/man8/quantum_selinux.8
new file mode 100644
-index 0000000..715e232
+index 0000000..adcd8df
--- /dev/null
+++ b/man/man8/quantum_selinux.8
-@@ -0,0 +1,169 @@
+@@ -0,0 +1,180 @@
+.TH "quantum_selinux" "8" "quantum" "dwalsh at redhat.com" "quantum SELinux Policy documentation"
+.SH "NAME"
+quantum_selinux \- Security Enhanced Linux Policy for the quantum processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the quantum processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the quantum processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The quantum processes execute with the quantum_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quantum_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep quantum_t
++
++
++.SH "ENTRYPOINTS"
++
++The quantum_t SELinux type can be entered via the "quantum_exec_t" file type. The default entrypoint paths for the quantum_t domain are the following:"
+
++/usr/bin/quantum-openvswitch-agent, /usr/bin/quantum-server, /usr/bin/quantum-ryu-agent, /usr/bin/quantum-linuxbridge-agent
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the quantum_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
++.PP
++The following process types are defined for quantum:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B quantum_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -66624,27 +72026,9 @@ index 0000000..715e232
+Default Defined Ports:
+tcp 9696
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible.
-+.PP
-+The following process types are defined for quantum:
-+
-+.EX
-+.B quantum_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type quantum_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type quantum_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B quantum_log_t
@@ -66662,6 +72046,22 @@ index 0000000..715e232
+ /var/lib/quantum(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quantum_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the quantum_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -66686,33 +72086,46 @@ index 0000000..715e232
+selinux(8), quantum(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/quota_nld_selinux.8 b/man/man8/quota_nld_selinux.8
new file mode 100644
-index 0000000..016d8c6
+index 0000000..b18dad2
--- /dev/null
+++ b/man/man8/quota_nld_selinux.8
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,117 @@
+.TH "quota_nld_selinux" "8" "quota_nld" "dwalsh at redhat.com" "quota_nld SELinux Policy documentation"
+.SH "NAME"
+quota_nld_selinux \- Security Enhanced Linux Policy for the quota_nld processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the quota_nld processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the quota_nld processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The quota_nld processes execute with the quota_nld_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep quota_nld_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The quota_nld_t SELinux type can be entered via the "quota_nld_exec_t" file type. The default entrypoint paths for the quota_nld_t domain are the following:"
++
++/usr/sbin/quota_nld
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux quota_nld policy is very flexible allowing users to setup their quota_nld processes in as secure a method as possible.
++.PP
++The following process types are defined for quota_nld:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B quota_nld_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -66748,27 +72161,9 @@ index 0000000..016d8c6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux quota_nld policy is very flexible allowing users to setup their quota_nld processes in as secure a method as possible.
-+.PP
-+The following process types are defined for quota_nld:
-+
-+.EX
-+.B quota_nld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type quota_nld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type quota_nld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B quota_nld_var_run_t
@@ -66776,6 +72171,22 @@ index 0000000..016d8c6
+ /var/run/quota_nld\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -66795,37 +72206,50 @@ index 0000000..016d8c6
+
+.SH "SEE ALSO"
+selinux(8), quota_nld(8), semanage(8), restorecon(8), chcon(1)
-+, quota_selinux(8)
++, quota_selinux(8), quota_selinux(8)
\ No newline at end of file
diff --git a/man/man8/quota_selinux.8 b/man/man8/quota_selinux.8
new file mode 100644
-index 0000000..37ee71e
+index 0000000..5344f22
--- /dev/null
+++ b/man/man8/quota_selinux.8
-@@ -0,0 +1,152 @@
+@@ -0,0 +1,167 @@
+.TH "quota_selinux" "8" "quota" "dwalsh at redhat.com" "quota SELinux Policy documentation"
+.SH "NAME"
+quota_selinux \- Security Enhanced Linux Policy for the quota processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the quota processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the quota processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The quota processes execute with the quota_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep quota_t
++
++
++.SH "ENTRYPOINTS"
+
++The quota_t SELinux type can be entered via the "quota_exec_t" file type. The default entrypoint paths for the quota_t domain are the following:"
++
++/usr/sbin/convertquota, /usr/sbin/quota(check|on), /sbin/quota(check|on)
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux quota policy is very flexible allowing users to setup their quota processes in as secure a method as possible.
++.PP
++The following process types are defined for quota:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B quota_t, quota_nld_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -66893,27 +72317,9 @@ index 0000000..37ee71e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux quota policy is very flexible allowing users to setup their quota processes in as secure a method as possible.
-+.PP
-+The following process types are defined for quota:
-+
-+.EX
-+.B quota_t, quota_nld_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type quota_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type quota_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B quota_db_t
@@ -66934,6 +72340,26 @@ index 0000000..37ee71e
+.br
+ /home/a?quota\.(user|group)
+.br
++ /home/dwalsh/a?quota\.(user|group)
++.br
++ /var/lib/xguest/home/xguest/a?quota\.(user|group)
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -66958,19 +72384,46 @@ index 0000000..37ee71e
\ No newline at end of file
diff --git a/man/man8/rabbitmq_beam_selinux.8 b/man/man8/rabbitmq_beam_selinux.8
new file mode 100644
-index 0000000..bc275f5
+index 0000000..5d34dc3
--- /dev/null
+++ b/man/man8/rabbitmq_beam_selinux.8
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,101 @@
+.TH "rabbitmq_beam_selinux" "8" "rabbitmq_beam" "dwalsh at redhat.com" "rabbitmq_beam SELinux Policy documentation"
+.SH "NAME"
+rabbitmq_beam_selinux \- Security Enhanced Linux Policy for the rabbitmq_beam processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rabbitmq_beam processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rabbitmq_beam processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rabbitmq_beam processes execute with the rabbitmq_beam_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rabbitmq_beam_t
++
++
++.SH "ENTRYPOINTS"
++
++The rabbitmq_beam_t SELinux type can be entered via the "rabbitmq_beam_exec_t" file type. The default entrypoint paths for the rabbitmq_beam_t domain are the following:"
++
++/usr/lib64/erlang/erts-5.8.5/bin/beam.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rabbitmq_beam policy is very flexible allowing users to setup their rabbitmq_beam processes in as secure a method as possible.
++.PP
++The following process types are defined for rabbitmq_beam:
++
++.EX
++.B rabbitmq_beam_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -66998,27 +72451,9 @@ index 0000000..bc275f5
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rabbitmq_beam policy is very flexible allowing users to setup their rabbitmq_beam processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rabbitmq_beam:
-+
-+.EX
-+.B rabbitmq_beam_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rabbitmq_beam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rabbitmq_beam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B rabbitmq_var_lib_t
@@ -67032,6 +72467,8 @@ index 0000000..bc275f5
+ /var/log/rabbitmq(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -67051,21 +72488,50 @@ index 0000000..bc275f5
+
+.SH "SEE ALSO"
+selinux(8), rabbitmq_beam(8), semanage(8), restorecon(8), chcon(1)
++, rabbitmq_epmd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/rabbitmq_epmd_selinux.8 b/man/man8/rabbitmq_epmd_selinux.8
new file mode 100644
-index 0000000..074cd3b
+index 0000000..7a2c8c8
--- /dev/null
+++ b/man/man8/rabbitmq_epmd_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,95 @@
+.TH "rabbitmq_epmd_selinux" "8" "rabbitmq_epmd" "dwalsh at redhat.com" "rabbitmq_epmd SELinux Policy documentation"
+.SH "NAME"
+rabbitmq_epmd_selinux \- Security Enhanced Linux Policy for the rabbitmq_epmd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rabbitmq_epmd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rabbitmq_epmd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rabbitmq_epmd processes execute with the rabbitmq_epmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rabbitmq_epmd_t
++
++
++.SH "ENTRYPOINTS"
++
++The rabbitmq_epmd_t SELinux type can be entered via the "rabbitmq_epmd_exec_t" file type. The default entrypoint paths for the rabbitmq_epmd_t domain are the following:"
++
++/usr/lib64/erlang/erts-5.8.5/bin/epmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rabbitmq_epmd policy is very flexible allowing users to setup their rabbitmq_epmd processes in as secure a method as possible.
++.PP
++The following process types are defined for rabbitmq_epmd:
++
++.EX
++.B rabbitmq_epmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -67093,27 +72559,9 @@ index 0000000..074cd3b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rabbitmq_epmd policy is very flexible allowing users to setup their rabbitmq_epmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rabbitmq_epmd:
-+
-+.EX
-+.B rabbitmq_epmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rabbitmq_epmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rabbitmq_epmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B rabbitmq_var_log_t
@@ -67121,6 +72569,8 @@ index 0000000..074cd3b
+ /var/log/rabbitmq(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -67140,45 +72590,60 @@ index 0000000..074cd3b
+
+.SH "SEE ALSO"
+selinux(8), rabbitmq_epmd(8), semanage(8), restorecon(8), chcon(1)
++, rabbitmq_beam_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/racoon_selinux.8 b/man/man8/racoon_selinux.8
new file mode 100644
-index 0000000..1dbeb60
+index 0000000..6ec2b3e
--- /dev/null
+++ b/man/man8/racoon_selinux.8
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,199 @@
+.TH "racoon_selinux" "8" "racoon" "dwalsh at redhat.com" "racoon SELinux Policy documentation"
+.SH "NAME"
+racoon_selinux \- Security Enhanced Linux Policy for the racoon processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the racoon processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the racoon processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. racoon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run racoon with the tightest access possible.
++The racoon processes execute with the racoon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow racoon to read shadow, you must turn on the racoon_read_shadow boolean.
++.B ps -eZ | grep racoon_t
+
-+.EX
-+.B setsebool -P racoon_read_shadow 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The racoon_t SELinux type can be entered via the "racoon_exec_t" file type. The default entrypoint paths for the racoon_t domain are the following:"
++
++/usr/sbin/racoon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the racoon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux racoon policy is very flexible allowing users to setup their racoon processes in as secure a method as possible.
++.PP
++The following process types are defined for racoon:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B racoon_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. racoon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run racoon with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the racoon_t, you must turn on the kerberos_enabled boolean.
++If you want to allow racoon to read shadow, you must turn on the racoon_read_shadow boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P racoon_read_shadow 1
+.EE
+
+.SH FILE CONTEXTS
@@ -67215,27 +72680,9 @@ index 0000000..1dbeb60
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux racoon policy is very flexible allowing users to setup their racoon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for racoon:
-+
-+.EX
-+.B racoon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type racoon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type racoon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -67311,6 +72758,22 @@ index 0000000..1dbeb60
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the racoon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the racoon_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -67337,43 +72800,56 @@ index 0000000..1dbeb60
\ No newline at end of file
diff --git a/man/man8/radiusd_selinux.8 b/man/man8/radiusd_selinux.8
new file mode 100644
-index 0000000..dea44ff
+index 0000000..546689e
--- /dev/null
+++ b/man/man8/radiusd_selinux.8
-@@ -0,0 +1,256 @@
+@@ -0,0 +1,267 @@
+.TH "radiusd_selinux" "8" "radiusd" "dwalsh at redhat.com" "radiusd SELinux Policy documentation"
+.SH "NAME"
+radiusd_selinux \- Security Enhanced Linux Policy for the radiusd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the radiusd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the radiusd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. radiusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run radiusd with the tightest access possible.
++The radiusd processes execute with the radiusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean.
++.B ps -eZ | grep radiusd_t
+
-+.EX
-+.B setsebool -P authlogin_radius 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The radiusd_t SELinux type can be entered via the "radiusd_exec_t" file type. The default entrypoint paths for the radiusd_t domain are the following:"
++
++/usr/sbin/freeradius, /etc/cron\.(daily|monthly)/radiusd, /usr/sbin/radiusd, /etc/cron\.(daily|weekly|monthly)/freeradius
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radiusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible.
++.PP
++The following process types are defined for radiusd:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B radiusd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. radiusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run radiusd with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the radiusd_t, you must turn on the kerberos_enabled boolean.
++If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P authlogin_radius 1
+.EE
+
+.SH FILE CONTEXTS
@@ -67485,27 +72961,9 @@ index 0000000..dea44ff
+Default Defined Ports:
+udp 1645,1812
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for radiusd:
-+
-+.EX
-+.B radiusd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type radiusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type radiusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -67571,6 +73029,22 @@ index 0000000..dea44ff
+ /var/run/radiusd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radiusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the radiusd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -67600,33 +73074,46 @@ index 0000000..dea44ff
\ No newline at end of file
diff --git a/man/man8/radvd_selinux.8 b/man/man8/radvd_selinux.8
new file mode 100644
-index 0000000..9e7f1cb
+index 0000000..cd35181
--- /dev/null
+++ b/man/man8/radvd_selinux.8
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,138 @@
+.TH "radvd_selinux" "8" "radvd" "dwalsh at redhat.com" "radvd SELinux Policy documentation"
+.SH "NAME"
+radvd_selinux \- Security Enhanced Linux Policy for the radvd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the radvd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the radvd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The radvd processes execute with the radvd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radvd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep radvd_t
++
++
++.SH "ENTRYPOINTS"
+
++The radvd_t SELinux type can be entered via the "radvd_exec_t" file type. The default entrypoint paths for the radvd_t domain are the following:"
++
++/usr/sbin/radvd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the radvd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux radvd policy is very flexible allowing users to setup their radvd processes in as secure a method as possible.
++.PP
++The following process types are defined for radvd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B radvd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -67682,27 +73169,9 @@ index 0000000..9e7f1cb
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux radvd policy is very flexible allowing users to setup their radvd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for radvd:
-+
-+.EX
-+.B radvd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type radvd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type radvd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B radvd_var_run_t
@@ -67712,6 +73181,22 @@ index 0000000..9e7f1cb
+ /var/run/radvd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radvd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the radvd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -67733,19 +73218,46 @@ index 0000000..9e7f1cb
+selinux(8), radvd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/rdisc_selinux.8 b/man/man8/rdisc_selinux.8
new file mode 100644
-index 0000000..30a2642
+index 0000000..dd2bbc3
--- /dev/null
+++ b/man/man8/rdisc_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,92 @@
+.TH "rdisc_selinux" "8" "rdisc" "dwalsh at redhat.com" "rdisc SELinux Policy documentation"
+.SH "NAME"
+rdisc_selinux \- Security Enhanced Linux Policy for the rdisc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rdisc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rdisc processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rdisc processes execute with the rdisc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rdisc_t
++
++
++.SH "ENTRYPOINTS"
++
++The rdisc_t SELinux type can be entered via the "rdisc_exec_t" file type. The default entrypoint paths for the rdisc_t domain are the following:"
++
++/sbin/rdisc, /usr/sbin/rdisc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rdisc policy is very flexible allowing users to setup their rdisc processes in as secure a method as possible.
++.PP
++The following process types are defined for rdisc:
++
++.EX
++.B rdisc_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -67777,27 +73289,11 @@ index 0000000..30a2642
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rdisc policy is very flexible allowing users to setup their rdisc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rdisc:
-+
-+.EX
-+.B rdisc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rdisc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rdisc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -67820,19 +73316,46 @@ index 0000000..30a2642
+selinux(8), rdisc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/readahead_selinux.8 b/man/man8/readahead_selinux.8
new file mode 100644
-index 0000000..60709f3
+index 0000000..da7fda3
--- /dev/null
+++ b/man/man8/readahead_selinux.8
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,186 @@
+.TH "readahead_selinux" "8" "readahead" "dwalsh at redhat.com" "readahead SELinux Policy documentation"
+.SH "NAME"
+readahead_selinux \- Security Enhanced Linux Policy for the readahead processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the readahead processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the readahead processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The readahead processes execute with the readahead_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep readahead_t
++
++
++.SH "ENTRYPOINTS"
++
++The readahead_t SELinux type can be entered via the "readahead_exec_t" file type. The default entrypoint paths for the readahead_t domain are the following:"
++
++/sbin/readahead.*, /usr/lib/systemd/systemd-readahead.*, /usr/sbin/readahead.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux readahead policy is very flexible allowing users to setup their readahead processes in as secure a method as possible.
++.PP
++The following process types are defined for readahead:
++
++.EX
++.B readahead_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -67884,27 +73407,9 @@ index 0000000..60709f3
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux readahead policy is very flexible allowing users to setup their readahead processes in as secure a method as possible.
-+.PP
-+The following process types are defined for readahead:
-+
-+.EX
-+.B readahead_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type readahead_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type readahead_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_runtime_t
@@ -67980,6 +73485,8 @@ index 0000000..60709f3
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -68001,19 +73508,46 @@ index 0000000..60709f3
+selinux(8), readahead(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/realmd_selinux.8 b/man/man8/realmd_selinux.8
new file mode 100644
-index 0000000..4207aff
+index 0000000..2259066
--- /dev/null
+++ b/man/man8/realmd_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,126 @@
+.TH "realmd_selinux" "8" "realmd" "dwalsh at redhat.com" "realmd SELinux Policy documentation"
+.SH "NAME"
+realmd_selinux \- Security Enhanced Linux Policy for the realmd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the realmd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the realmd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The realmd processes execute with the realmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep realmd_t
++
++
++.SH "ENTRYPOINTS"
++
++The realmd_t SELinux type can be entered via the "realmd_exec_t" file type. The default entrypoint paths for the realmd_t domain are the following:"
++
++/usr/lib/realmd/realmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux realmd policy is very flexible allowing users to setup their realmd processes in as secure a method as possible.
++.PP
++The following process types are defined for realmd:
++
++.EX
++.B realmd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -68041,27 +73575,27 @@ index 0000000..4207aff
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux realmd policy is very flexible allowing users to setup their realmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for realmd:
++.SH "MANAGED FILES"
+
-+.EX
-+.B realmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++The SELinux process type realmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
-+.SH "MANAGED FILES"
++.br
++.B cache_home_t
+
-+The SELinux user type realmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++ /root/\.cache(/.*)?
++.br
++ /home/[^/]*/\.nv(/.*)?
++.br
++ /home/[^/]*/\.cache(/.*)?
++.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
+
+.br
+.B sssd_conf_t
@@ -68069,6 +73603,22 @@ index 0000000..4207aff
+ /etc/sssd(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the realmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the realmd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -68090,33 +73640,46 @@ index 0000000..4207aff
+selinux(8), realmd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/regex_milter_selinux.8 b/man/man8/regex_milter_selinux.8
new file mode 100644
-index 0000000..7788cdc
+index 0000000..fd1b43b
--- /dev/null
+++ b/man/man8/regex_milter_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,116 @@
+.TH "regex_milter_selinux" "8" "regex_milter" "dwalsh at redhat.com" "regex_milter SELinux Policy documentation"
+.SH "NAME"
+regex_milter_selinux \- Security Enhanced Linux Policy for the regex_milter processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the regex_milter processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the regex_milter processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The regex_milter processes execute with the regex_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the regex_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep regex_milter_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The regex_milter_t SELinux type can be entered via the "regex_milter_exec_t" file type. The default entrypoint paths for the regex_milter_t domain are the following:"
++
++/usr/sbin/milter-regex
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the regex_milter_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux regex_milter policy is very flexible allowing users to setup their regex_milter processes in as secure a method as possible.
++.PP
++The following process types are defined for regex_milter:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B regex_milter_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -68152,27 +73715,9 @@ index 0000000..7788cdc
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux regex_milter policy is very flexible allowing users to setup their regex_milter processes in as secure a method as possible.
-+.PP
-+The following process types are defined for regex_milter:
-+
-+.EX
-+.B regex_milter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type regex_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type regex_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B regex_milter_data_t
@@ -68180,6 +73725,22 @@ index 0000000..7788cdc
+ /var/spool/milter-regex(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the regex_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the regex_milter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -68201,33 +73762,46 @@ index 0000000..7788cdc
+selinux(8), regex_milter(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/restorecond_selinux.8 b/man/man8/restorecond_selinux.8
new file mode 100644
-index 0000000..f5b8812
+index 0000000..10a342d
--- /dev/null
+++ b/man/man8/restorecond_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "restorecond_selinux" "8" "restorecond" "dwalsh at redhat.com" "restorecond SELinux Policy documentation"
+.SH "NAME"
+restorecond_selinux \- Security Enhanced Linux Policy for the restorecond processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the restorecond processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the restorecond processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The restorecond processes execute with the restorecond_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the restorecond_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep restorecond_t
++
++
++.SH "ENTRYPOINTS"
+
++The restorecond_t SELinux type can be entered via the "restorecond_exec_t" file type. The default entrypoint paths for the restorecond_t domain are the following:"
++
++/usr/sbin/restorecond
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the restorecond_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux restorecond policy is very flexible allowing users to setup their restorecond processes in as secure a method as possible.
++.PP
++The following process types are defined for restorecond:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B restorecond_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -68263,27 +73837,9 @@ index 0000000..f5b8812
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux restorecond policy is very flexible allowing users to setup their restorecond processes in as secure a method as possible.
-+.PP
-+The following process types are defined for restorecond:
-+
-+.EX
-+.B restorecond_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type restorecond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type restorecond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B restorecond_var_run_t
@@ -68297,6 +73853,22 @@ index 0000000..f5b8812
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the restorecond_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the restorecond_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -68318,43 +73890,56 @@ index 0000000..f5b8812
+selinux(8), restorecond(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/rgmanager_selinux.8 b/man/man8/rgmanager_selinux.8
new file mode 100644
-index 0000000..0e85cc9
+index 0000000..2d9a7b5
--- /dev/null
+++ b/man/man8/rgmanager_selinux.8
-@@ -0,0 +1,276 @@
+@@ -0,0 +1,287 @@
+.TH "rgmanager_selinux" "8" "rgmanager" "dwalsh at redhat.com" "rgmanager SELinux Policy documentation"
+.SH "NAME"
+rgmanager_selinux \- Security Enhanced Linux Policy for the rgmanager processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rgmanager processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rgmanager processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. rgmanager policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rgmanager with the tightest access possible.
++The rgmanager processes execute with the rgmanager_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow rgmanager domain to connect to the network using TCP, you must turn on the rgmanager_can_network_connect boolean.
++.B ps -eZ | grep rgmanager_t
+
-+.EX
-+.B setsebool -P rgmanager_can_network_connect 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The rgmanager_t SELinux type can be entered via the "rgmanager_exec_t" file type. The default entrypoint paths for the rgmanager_t domain are the following:"
++
++/usr/sbin/cpglockd, /usr/sbin/rgmanager, /usr/lib(64)?/heartbeat/heartbeat
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rgmanager_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rgmanager policy is very flexible allowing users to setup their rgmanager processes in as secure a method as possible.
++.PP
++The following process types are defined for rgmanager:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B rgmanager_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. rgmanager policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rgmanager with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the rgmanager_t, you must turn on the kerberos_enabled boolean.
++If you want to allow rgmanager domain to connect to the network using TCP, you must turn on the rgmanager_can_network_connect boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P rgmanager_can_network_connect 1
+.EE
+
+.SH FILE CONTEXTS
@@ -68451,27 +74036,9 @@ index 0000000..0e85cc9
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rgmanager policy is very flexible allowing users to setup their rgmanager processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rgmanager:
-+
-+.EX
-+.B rgmanager_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rgmanager_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rgmanager_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cluster_conf_t
@@ -68575,6 +74142,22 @@ index 0000000..0e85cc9
+ /var/lib/nfs(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rgmanager_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rgmanager_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -68601,33 +74184,46 @@ index 0000000..0e85cc9
\ No newline at end of file
diff --git a/man/man8/rhev_agentd_selinux.8 b/man/man8/rhev_agentd_selinux.8
new file mode 100644
-index 0000000..3939275
+index 0000000..380ea02
--- /dev/null
+++ b/man/man8/rhev_agentd_selinux.8
-@@ -0,0 +1,143 @@
+@@ -0,0 +1,154 @@
+.TH "rhev_agentd_selinux" "8" "rhev_agentd" "dwalsh at redhat.com" "rhev_agentd SELinux Policy documentation"
+.SH "NAME"
+rhev_agentd_selinux \- Security Enhanced Linux Policy for the rhev_agentd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rhev_agentd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rhev_agentd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rhev_agentd processes execute with the rhev_agentd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep rhev_agentd_t
++
++
++.SH "ENTRYPOINTS"
++
++The rhev_agentd_t SELinux type can be entered via the "rhev_agentd_exec_t" file type. The default entrypoint paths for the rhev_agentd_t domain are the following:"
+
++/usr/share/rhev-agent/rhev-agentd\.py, /usr/share/ovirt-guest-agent
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rhev_agentd policy is very flexible allowing users to setup their rhev_agentd processes in as secure a method as possible.
++.PP
++The following process types are defined for rhev_agentd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B rhev_agentd_t, rhev_agentd_consolehelper_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -68691,27 +74287,9 @@ index 0000000..3939275
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rhev_agentd policy is very flexible allowing users to setup their rhev_agentd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rhev_agentd:
-+
-+.EX
-+.B rhev_agentd_t, rhev_agentd_consolehelper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rhev_agentd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rhev_agentd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B rhev_agentd_log_t
@@ -68729,6 +74307,22 @@ index 0000000..3939275
+ /var/run/rhev-agentd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -68750,19 +74344,46 @@ index 0000000..3939275
+selinux(8), rhev_agentd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/rhgb_selinux.8 b/man/man8/rhgb_selinux.8
new file mode 100644
-index 0000000..58118b7
+index 0000000..0e6d920
--- /dev/null
+++ b/man/man8/rhgb_selinux.8
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,104 @@
+.TH "rhgb_selinux" "8" "rhgb" "dwalsh at redhat.com" "rhgb SELinux Policy documentation"
+.SH "NAME"
+rhgb_selinux \- Security Enhanced Linux Policy for the rhgb processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rhgb processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rhgb processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rhgb processes execute with the rhgb_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rhgb_t
++
++
++.SH "ENTRYPOINTS"
++
++The rhgb_t SELinux type can be entered via the "rhgb_exec_t" file type. The default entrypoint paths for the rhgb_t domain are the following:"
++
++/usr/bin/rhgb
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rhgb policy is very flexible allowing users to setup their rhgb processes in as secure a method as possible.
++.PP
++The following process types are defined for rhgb:
++
++.EX
++.B rhgb_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -68798,27 +74419,9 @@ index 0000000..58118b7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rhgb policy is very flexible allowing users to setup their rhgb processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rhgb:
-+
-+.EX
-+.B rhgb_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rhgb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rhgb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ramfs_t
@@ -68828,6 +74431,8 @@ index 0000000..58118b7
+.B rhgb_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -68849,19 +74454,46 @@ index 0000000..58118b7
+selinux(8), rhgb(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/rhsmcertd_selinux.8 b/man/man8/rhsmcertd_selinux.8
new file mode 100644
-index 0000000..5294b7d
+index 0000000..5ec3550
--- /dev/null
+++ b/man/man8/rhsmcertd_selinux.8
-@@ -0,0 +1,151 @@
+@@ -0,0 +1,162 @@
+.TH "rhsmcertd_selinux" "8" "rhsmcertd" "dwalsh at redhat.com" "rhsmcertd SELinux Policy documentation"
+.SH "NAME"
+rhsmcertd_selinux \- Security Enhanced Linux Policy for the rhsmcertd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rhsmcertd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rhsmcertd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rhsmcertd processes execute with the rhsmcertd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rhsmcertd_t
++
++
++.SH "ENTRYPOINTS"
++
++The rhsmcertd_t SELinux type can be entered via the "rhsmcertd_exec_t" file type. The default entrypoint paths for the rhsmcertd_t domain are the following:"
++
++/usr/bin/rhsmcertd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rhsmcertd policy is very flexible allowing users to setup their rhsmcertd processes in as secure a method as possible.
++.PP
++The following process types are defined for rhsmcertd:
++
++.EX
++.B rhsmcertd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -68929,27 +74561,9 @@ index 0000000..5294b7d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rhsmcertd policy is very flexible allowing users to setup their rhsmcertd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rhsmcertd:
-+
-+.EX
-+.B rhsmcertd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rhsmcertd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rhsmcertd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B rhsmcertd_lock_t
@@ -68985,6 +74599,8 @@ index 0000000..5294b7d
+ /var/lock
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -69006,33 +74622,46 @@ index 0000000..5294b7d
+selinux(8), rhsmcertd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ricci_modcluster_selinux.8 b/man/man8/ricci_modcluster_selinux.8
new file mode 100644
-index 0000000..ba25c3c
+index 0000000..c04c850
--- /dev/null
+++ b/man/man8/ricci_modcluster_selinux.8
-@@ -0,0 +1,178 @@
+@@ -0,0 +1,189 @@
+.TH "ricci_modcluster_selinux" "8" "ricci_modcluster" "dwalsh at redhat.com" "ricci_modcluster SELinux Policy documentation"
+.SH "NAME"
+ricci_modcluster_selinux \- Security Enhanced Linux Policy for the ricci_modcluster processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ricci_modcluster processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ricci_modcluster processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ricci_modcluster processes execute with the ricci_modcluster_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep ricci_modcluster_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The ricci_modcluster_t SELinux type can be entered via the "ricci_modcluster_exec_t" file type. The default entrypoint paths for the ricci_modcluster_t domain are the following:"
++
++/usr/libexec/modcluster
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modcluster policy is very flexible allowing users to setup their ricci_modcluster processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modcluster:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ricci_modclusterd_t, ricci_modcluster_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -69129,27 +74758,9 @@ index 0000000..ba25c3c
+.EE
+udp 16851
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modcluster policy is very flexible allowing users to setup their ricci_modcluster processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modcluster:
-+
-+.EX
-+.B ricci_modclusterd_t, ricci_modcluster_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ricci_modcluster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ricci_modcluster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cluster_conf_t
@@ -69165,6 +74776,22 @@ index 0000000..ba25c3c
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -69187,37 +74814,50 @@ index 0000000..ba25c3c
+
+.SH "SEE ALSO"
+selinux(8), ricci_modcluster(8), semanage(8), restorecon(8), chcon(1)
-+, ricci_selinux(8), ricci_modclusterd_selinux(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
\ No newline at end of file
diff --git a/man/man8/ricci_modclusterd_selinux.8 b/man/man8/ricci_modclusterd_selinux.8
new file mode 100644
-index 0000000..f9c2091
+index 0000000..21ed87c
--- /dev/null
+++ b/man/man8/ricci_modclusterd_selinux.8
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,157 @@
+.TH "ricci_modclusterd_selinux" "8" "ricci_modclusterd" "dwalsh at redhat.com" "ricci_modclusterd SELinux Policy documentation"
+.SH "NAME"
+ricci_modclusterd_selinux \- Security Enhanced Linux Policy for the ricci_modclusterd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ricci_modclusterd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ricci_modclusterd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ricci_modclusterd processes execute with the ricci_modclusterd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep ricci_modclusterd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The ricci_modclusterd_t SELinux type can be entered via the "ricci_modclusterd_exec_t" file type. The default entrypoint paths for the ricci_modclusterd_t domain are the following:"
++
++/usr/sbin/modclusterd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modclusterd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ricci_modclusterd_t, ricci_modcluster_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -69278,27 +74918,9 @@ index 0000000..f9c2091
+.EE
+udp 16851
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modclusterd:
-+
-+.EX
-+.B ricci_modclusterd_t, ricci_modcluster_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ricci_modclusterd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ricci_modclusterd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ricci_modcluster_var_log_t
@@ -69318,6 +74940,22 @@ index 0000000..f9c2091
+.B ricci_modclusterd_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -69340,23 +74978,50 @@ index 0000000..f9c2091
+
+.SH "SEE ALSO"
+selinux(8), ricci_modclusterd(8), semanage(8), restorecon(8), chcon(1)
-+, ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modcluster_selinux(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modcluster_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
\ No newline at end of file
diff --git a/man/man8/ricci_modlog_selinux.8 b/man/man8/ricci_modlog_selinux.8
new file mode 100644
-index 0000000..4491fd0
+index 0000000..019c6fe
--- /dev/null
+++ b/man/man8/ricci_modlog_selinux.8
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,89 @@
+.TH "ricci_modlog_selinux" "8" "ricci_modlog" "dwalsh at redhat.com" "ricci_modlog SELinux Policy documentation"
+.SH "NAME"
+ricci_modlog_selinux \- Security Enhanced Linux Policy for the ricci_modlog processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ricci_modlog processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ricci_modlog processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ricci_modlog processes execute with the ricci_modlog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ricci_modlog_t
++
++
++.SH "ENTRYPOINTS"
++
++The ricci_modlog_t SELinux type can be entered via the "ricci_modlog_exec_t" file type. The default entrypoint paths for the ricci_modlog_t domain are the following:"
++
++/usr/libexec/ricci-modlog
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modlog policy is very flexible allowing users to setup their ricci_modlog processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modlog:
++
++.EX
++.B ricci_modlog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -69384,27 +75049,11 @@ index 0000000..4491fd0
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modlog policy is very flexible allowing users to setup their ricci_modlog processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modlog:
-+
-+.EX
-+.B ricci_modlog_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ricci_modlog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ricci_modlog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -69425,23 +75074,50 @@ index 0000000..4491fd0
+
+.SH "SEE ALSO"
+selinux(8), ricci_modlog(8), semanage(8), restorecon(8), chcon(1)
-+, ricci_selinux(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
\ No newline at end of file
diff --git a/man/man8/ricci_modrpm_selinux.8 b/man/man8/ricci_modrpm_selinux.8
new file mode 100644
-index 0000000..bea6294
+index 0000000..98763b8
--- /dev/null
+++ b/man/man8/ricci_modrpm_selinux.8
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,89 @@
+.TH "ricci_modrpm_selinux" "8" "ricci_modrpm" "dwalsh at redhat.com" "ricci_modrpm SELinux Policy documentation"
+.SH "NAME"
+ricci_modrpm_selinux \- Security Enhanced Linux Policy for the ricci_modrpm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ricci_modrpm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ricci_modrpm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ricci_modrpm processes execute with the ricci_modrpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ricci_modrpm_t
++
++
++.SH "ENTRYPOINTS"
++
++The ricci_modrpm_t SELinux type can be entered via the "ricci_modrpm_exec_t" file type. The default entrypoint paths for the ricci_modrpm_t domain are the following:"
++
++/usr/libexec/ricci-modrpm
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modrpm policy is very flexible allowing users to setup their ricci_modrpm processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modrpm:
++
++.EX
++.B ricci_modrpm_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -69469,27 +75145,11 @@ index 0000000..bea6294
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modrpm policy is very flexible allowing users to setup their ricci_modrpm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modrpm:
-+
-+.EX
-+.B ricci_modrpm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ricci_modrpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ricci_modrpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -69510,23 +75170,50 @@ index 0000000..bea6294
+
+.SH "SEE ALSO"
+selinux(8), ricci_modrpm(8), semanage(8), restorecon(8), chcon(1)
-+, ricci_selinux(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8)
\ No newline at end of file
diff --git a/man/man8/ricci_modservice_selinux.8 b/man/man8/ricci_modservice_selinux.8
new file mode 100644
-index 0000000..22e0986
+index 0000000..73b043b
--- /dev/null
+++ b/man/man8/ricci_modservice_selinux.8
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,89 @@
+.TH "ricci_modservice_selinux" "8" "ricci_modservice" "dwalsh at redhat.com" "ricci_modservice SELinux Policy documentation"
+.SH "NAME"
+ricci_modservice_selinux \- Security Enhanced Linux Policy for the ricci_modservice processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ricci_modservice processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ricci_modservice processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ricci_modservice processes execute with the ricci_modservice_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ricci_modservice_t
++
++
++.SH "ENTRYPOINTS"
++
++The ricci_modservice_t SELinux type can be entered via the "ricci_modservice_exec_t" file type. The default entrypoint paths for the ricci_modservice_t domain are the following:"
++
++/usr/libexec/ricci-modservice
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modservice policy is very flexible allowing users to setup their ricci_modservice processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modservice:
++
++.EX
++.B ricci_modservice_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -69554,27 +75241,11 @@ index 0000000..22e0986
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modservice policy is very flexible allowing users to setup their ricci_modservice processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modservice:
-+
-+.EX
-+.B ricci_modservice_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ricci_modservice_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ricci_modservice_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -69595,37 +75266,50 @@ index 0000000..22e0986
+
+.SH "SEE ALSO"
+selinux(8), ricci_modservice(8), semanage(8), restorecon(8), chcon(1)
-+, ricci_selinux(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modstorage_selinux(8)
\ No newline at end of file
diff --git a/man/man8/ricci_modstorage_selinux.8 b/man/man8/ricci_modstorage_selinux.8
new file mode 100644
-index 0000000..3ab7e18
+index 0000000..31f1cc8
--- /dev/null
+++ b/man/man8/ricci_modstorage_selinux.8
-@@ -0,0 +1,140 @@
+@@ -0,0 +1,151 @@
+.TH "ricci_modstorage_selinux" "8" "ricci_modstorage" "dwalsh at redhat.com" "ricci_modstorage SELinux Policy documentation"
+.SH "NAME"
+ricci_modstorage_selinux \- Security Enhanced Linux Policy for the ricci_modstorage processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ricci_modstorage processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ricci_modstorage processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ricci_modstorage processes execute with the ricci_modstorage_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modstorage_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep ricci_modstorage_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The ricci_modstorage_t SELinux type can be entered via the "ricci_modstorage_exec_t" file type. The default entrypoint paths for the ricci_modstorage_t domain are the following:"
++
++/usr/libexec/ricci-modstorage
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci_modstorage policy is very flexible allowing users to setup their ricci_modstorage processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci_modstorage:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ricci_modstorage_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -69661,27 +75345,9 @@ index 0000000..3ab7e18
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci_modstorage policy is very flexible allowing users to setup their ricci_modstorage processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci_modstorage:
-+
-+.EX
-+.B ricci_modstorage_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ricci_modstorage_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ricci_modstorage_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B default_t
@@ -69723,6 +75389,22 @@ index 0000000..3ab7e18
+ /etc/lvm(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modstorage_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -69742,37 +75424,50 @@ index 0000000..3ab7e18
+
+.SH "SEE ALSO"
+selinux(8), ricci_modstorage(8), semanage(8), restorecon(8), chcon(1)
-+, ricci_selinux(8)
++, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8)
\ No newline at end of file
diff --git a/man/man8/ricci_selinux.8 b/man/man8/ricci_selinux.8
new file mode 100644
-index 0000000..c50b549
+index 0000000..1e254e0
--- /dev/null
+++ b/man/man8/ricci_selinux.8
-@@ -0,0 +1,385 @@
+@@ -0,0 +1,396 @@
+.TH "ricci_selinux" "8" "ricci" "dwalsh at redhat.com" "ricci SELinux Policy documentation"
+.SH "NAME"
+ricci_selinux \- Security Enhanced Linux Policy for the ricci processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ricci processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ricci processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ricci processes execute with the ricci_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep ricci_t
++
++
++.SH "ENTRYPOINTS"
++
++The ricci_t SELinux type can be entered via the "bin_t,ricci_exec_t" file types. The default entrypoint paths for the ricci_t domain are the following:"
+
++/etc/ppp/ip-up\..*, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /usr/lib/virtualbox/VBoxManage, /usr/lib/.*/scripts(/.*)?, /etc/ppp/ip-down\..*, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/shorewall-perl(/.*)?, /usr/Brother(/.*)?, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/lib/mailman.*/mail(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/share/cluster/ocf-shellfuncs, /bin, /usr/lib/.*/program(/.*)?, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/apr-0/build/libtool, /usr/lib/pm-utils(/.*)?, /etc/sysconfig/network-scripts/net.*, /usr/share/system-config-language/system-config-language, /usr/lib/vte/gnome-pty-helper, /etc/lxdm/Pre.*, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/nagios/plugins(/.*)?, /usr/share/PackageKit/helpers(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/fence(/.*)?, /etc/sysconfig/network-scripts/init.*, /usr/lib/xulrunner[^/]*/updater, /etc/mcelog/cache-error-trigger, /usr/share/system-config-
mouse/system-config-mouse, /usr/share/system-config-netboot/pxeos\.py, /usr/share/cluster/.*\.sh, /usr/lib/udev/devices/MAKEDEV, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/mc/extfs/.*, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /var/qmail/rc, /var/mailman.*/bin(/.*)?, /usr/share/system-config-nfs/system-config-nfs\.py, /sbin, /usr/share/texmf/web2c/mktexupd, /usr/lib/readahead(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/xen/bin(/.*)?, /usr/share/Modules/init(/.*)?, /var/qmail/bin, /opt/google/talkplugin(/.*)?, /etc/profile.d(/.*)?, /usr/share/hwbrowser/hwbrowser, /usr/share/dayplanner/dayplanner, /usr/lib/nspluginwrapper/np.*, /usr/share/printconf/util/print\.py, /usr/lib/[^/]*/run-mozilla\.sh, /usr/linuxprinter/filters(/.*)?, /usr/share/system-config-network/neat-control\.py, /usr/lib/[^/]*/mozilla-xremote-client, /usr/share/hal/scripts(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/share/system-config-selinux/polgen\.py, /usr/lib(.*/)?sbin(/.*)?, /lib/udev/devi
ces/MAKEDEV, /etc/vmware-tools(/.*)?, /etc/PackageKit/events(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /usr/share/sectool/.*\.py, /etc/pki/tls/certs/make-dummy-cert, /usr/lib/rpm/rpmd, /usr/lib/tuned/.*/.*\.sh, /usr/share/cluster/svclib_nfslock, /usr/libexec(/.*)?, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/apr-0/build/[^/]+\.sh, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /bin/mountpoint, /usr/share/rhn/rhn_applet/needed-packages\.py, /lib/security/pam_krb5(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/rpm/rpmk, /etc/apcupsd/commok, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/clamav/freshclam-sleep, /usr/lib/mediawiki/math/texvc.*, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/xfce4(/.*)?, /usr/share/system-config-services/system-config-services, /opt/(.*/)?libexec(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /usr/lib/debug/sbin(/.*)?, /etc/sysconfig/libvirtd, /etc/cron.weekly(/.*)?, /usr/lib/ccache/bin(/.*)?, /sbin/.*, /var/lib/asterisk/agi-bin(/.*)
?, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /usr/lib/yp/.+, /usr/share/wicd/daemon(/.*)?, /etc/ppp/ipv6-up\..*, /etc/acpi/actions(/.*)?, /etc/sysconfig/network-scripts/ifdown.*, /usr/share/cluster/SAPDatabase, /usr/share/system-config-soundcard/system-config-soundcard, /usr/lib/udev/scsi_id, /etc/pm/power\.d(/.*)?, /usr/share/system-config-services/gui\.py, /etc/lxdm/Xsession, /usr/lib/cyrus-imapd/.*, /usr/sbin/insmod_ksymoops_clean, /etc/cipe/ip-down.*, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/share/shorewall/compiler\.pl, /usr/share/pydict/pydict\.py, /dev/MAKEDEV, /usr/share/shorewall-shell(/.*)?, /emul/ia32-linux/bin(/.*)?, /root/bin(/.*)?, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/system-config-selinux\.py, /etc/ppp/ipv6-down\..*, /usr/share/pwlib/make/ptlib-config, /usr/lib/ConsoleKit/scripts(/.*)?, /opt/(.*/)?bin(/.*)?, /etc/init\.d/functions, /lib/readahead(/.*)?, /etc/apcupsd/apccontrol, /usr/share/system-config-samb
a/system-config-samba\.py, /usr/lib/misc/sftp-server, /etc/apcupsd/onbattery, /usr/lib/qt.*/bin(/.*)?, /usr/share/cvs/contrib/rcs2log, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/fedora-usermgmt/wrapper, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/share/ssl/misc(/.*)?, /etc/apcupsd/changeme, /etc/apcupsd/offbattery, /etc/apcupsd/commfailure, /etc/sysconfig/readonly-root, /etc/cron.monthly(/.*)?, /var/ftp/bin(/.*)?, /usr/lib/xfce4/xfwm4/helper-dialog, /usr/lib/iscan/network, /usr/share/shorewall-lite(/.*)?, /usr/Printer(/.*)?, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/lib/news/bin(/.*)?, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-netboot/pxeboot\.py, /etc/auto\.[^/]*, /usr/Brother/(.*/)?inf/brprintconf.*, /etc/apcupsd/masterconnect, /etc/avahi/.*\.action, /usr/lib/netsaint/plugins(/.*)?, /usr/share/authconfig/
authconfig-tui\.py, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/lib/dracut(/.*)?, /usr/share/kde4/apps/kajongg/kajongg.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/selinux/devel/policygentool, /etc/mail/make, /usr/lib/debug/usr/libexec(/.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/libexec/openssh/sftp-server, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/chromium-browser(/.*)?, /etc/sysconfig/init, /usr/share/system-logviewer/system-logviewer\.py, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /usr/lib/wicd/monitor\.py, /etc/pki/tls/misc(/.*)?, /etc/cron.hourly(/.*)?, /etc/xen/qemu-ifup, /usr/share/system-config-services/serviceconf\.py, /usr/share/tucan.*/tucan.py, /usr/lib/portage/bin(/.*)?, /etc/lxdm/LoginReady, /etc/mcelog/triggers(/.*)?, /usr/share/texmf/web2c/mktexnam, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/apt/methods.+, /etc/rc\.d/init\.d/functions, /usr/lib/x
fce4/exo-1/exo-compose-mail-1, /etc/kde/shutdown(/.*)?, /usr/lib/cups(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /usr/share/gnucash/finance-quote-helper, /etc/cron.daily(/.*)?, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/lib/rpm/rpmv, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/munin/plugins(/.*)?, /usr/share/clamav/clamd-gen, /etc/lxdm/Post.*, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /etc/hotplug/.*agent, /usr/lib/emacsen-common/.*, /usr/lib/jvm/java(.*/)bin(/.*), /etc/sysconfig/network-scripts/ifup.*, /usr/lib/xfce4/xfconf/xfconfd, /usr/lib/MailScanner(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/share/ajaxterm/qweb.py.*, /usr/share/switchdesk/switchdesk-gui\.py, /usr/lib/ipsec/.*, /usr/share/turboprint/lib(/.*)?, /usr/sbin/mkfs\.cramfs, /var/qmail/bin(/.*)?, /etc/sysconfig/crond, /usr/share/hplip/[^/]*, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/debconf/.+, /usr/share/shorewall/configpath, /usr/bin/pingus.*, /etc/hotplug/hotplug\.
functions, /usr/lib/mailman.*/bin(/.*)?, /usr/share/texmf/web2c/mktexdir, /usr/share/gnucash/finance-quote-check, /etc/redhat-lsb(/.*)?, /usr/X11R6/lib/X11/xkb/xkbcomp, /etc/gdm/[^/]+, /opt/google/chrome(/.*)?, /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/dpkg/.+, /usr/share/sandbox/sandboxX.sh, /etc/cipe/ip-up.*, /usr/lib/udev/[^/]*, /usr/bin/mountpoint, /lib/udev/scsi_id, /bin/.*, /emul/ia32-linux/sbin(/.*)?, /var/lib/iscan/interpreter, /etc/dhcp/dhclient\.d(/.*)?, /etc/racoon/scripts(/.*)?, /opt/(.*/)?sbin(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/spamassassin/sa-update\.cron, /usr/share/rhn/rhn_applet/applet\.py, /etc/X11/xdm/TakeConsole, /usr/(.*/)?sbin(/.*)?, /etc/X11/xinit(/.*)?, /usr/share/shorewall/getparams, /usr/share/cluster/checkquorum, /etc/X11/xdm/GiveConsole, /usr/lib/xfce4/session/xfsm-shutdown-helper, /lib/upstart(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/gdm/[^/]+/.*, /usr/share/system-config-httpd/system-config-httpd, /usr/lib/upstart(/.*)?, /usr/lib/pgs
ql/test/regress/.*\.sh, /usr/share/system-config-users/system-config-users, /etc/mgetty\+sendfax/new_fax, /usr/lib/debug/bin(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /etc/hotplug/.*rc, /usr/lib/courier(/.*)?, /etc/X11/xdm/Xsetup_0, /etc/netplug\.d(/.*)?, /usr/Brother/(.*/)?inf/setup.*, /usr/lib/xfce4/session/balou-install-theme, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/smolt/client(/.*)?, /usr/bin, /etc/sysconfig/netconsole, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/xfce4/panel/migrate, /usr/share/ajaxterm/ajaxterm.py.*, /sbin/mkfs\.cramfs, /usr/share/authconfig/authconfig\.py, /usr/share/system-config-date/system-config-date\.py, /usr/share/virtualbox/.*\.sh, /etc/apcupsd/mastertimeout, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/texmf/texconfig/tcfmgr, /etc/kde/env(/.*)?, /usr/lib/rpm/rpmq, /sbin/insmod_ksymoops_clean, /usr/lib/xfce4/panel/wrapper, /usr/share/system-config-printer/applet\.py, /etc/hotp
lug\.d/default/default.*, /usr/lib(.*/)?bin(/.*)?, /usr/share/gitolite/hooks/common/update, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /usr/lib/sftp-server, /usr/share/system-config-display/system-config-display, /lib/udev/[^/]*, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/denyhosts/scripts(/.*)?, /usr/share/createrepo(/.*)?, /usr/lib/yaboot/addnote, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/share/cluster/SAPInstance, /usr/sbin/ricci
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible.
++.PP
++The following process types are defined for ricci:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ricci_t, ricci_modservice_t, ricci_modstorage_t, ricci_modclusterd_t, ricci_modlog_t, ricci_modrpm_t, ricci_modcluster_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -69970,27 +75665,9 @@ index 0000000..c50b549
+.EE
+udp 11111
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ricci:
-+
-+.EX
-+.B ricci_t, ricci_modservice_t, ricci_modstorage_t, ricci_modclusterd_t, ricci_modlog_t, ricci_modrpm_t, ricci_modcluster_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ricci_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ricci_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_runtime_t
@@ -70112,6 +75789,22 @@ index 0000000..c50b549
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -70138,33 +75831,46 @@ index 0000000..c50b549
\ No newline at end of file
diff --git a/man/man8/rlogind_selinux.8 b/man/man8/rlogind_selinux.8
new file mode 100644
-index 0000000..74f3ce6
+index 0000000..0fd4170
--- /dev/null
+++ b/man/man8/rlogind_selinux.8
-@@ -0,0 +1,309 @@
+@@ -0,0 +1,332 @@
+.TH "rlogind_selinux" "8" "rlogind" "dwalsh at redhat.com" "rlogind SELinux Policy documentation"
+.SH "NAME"
+rlogind_selinux \- Security Enhanced Linux Policy for the rlogind processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rlogind processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rlogind processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rlogind processes execute with the rlogind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rlogind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep rlogind_t
++
++
++.SH "ENTRYPOINTS"
++
++The rlogind_t SELinux type can be entered via the "rlogind_exec_t" file type. The default entrypoint paths for the rlogind_t domain are the following:"
+
++/usr/lib/telnetlogin, /usr/kerberos/sbin/klogind, /usr/sbin/in\.rlogind
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the rlogind_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible.
++.PP
++The following process types are defined for rlogind:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B rlogind_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -70255,27 +75961,9 @@ index 0000000..74f3ce6
+Default Defined Ports:
+tcp 513
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rlogind:
-+
-+.EX
-+.B rlogind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rlogind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rlogind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auth_cache_t
@@ -70294,6 +75982,14 @@ index 0000000..74f3ce6
+.br
+ /home/[^/]*/\.google_authenticator~
+.br
++ /home/dwalsh/\.google_authenticator
++.br
++ /home/dwalsh/\.google_authenticator~
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator~
++.br
+
+.br
+.B cgroup_t
@@ -70402,6 +76098,10 @@ index 0000000..74f3ce6
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
+
+.br
+.B var_auth_t
@@ -70429,6 +76129,22 @@ index 0000000..74f3ce6
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rlogind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rlogind_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -70453,19 +76169,46 @@ index 0000000..74f3ce6
+selinux(8), rlogind(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/roundup_selinux.8 b/man/man8/roundup_selinux.8
new file mode 100644
-index 0000000..244f12e
+index 0000000..92bcc76
--- /dev/null
+++ b/man/man8/roundup_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "roundup_selinux" "8" "roundup" "dwalsh at redhat.com" "roundup SELinux Policy documentation"
+.SH "NAME"
+roundup_selinux \- Security Enhanced Linux Policy for the roundup processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the roundup processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the roundup processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The roundup processes execute with the roundup_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep roundup_t
++
++
++.SH "ENTRYPOINTS"
++
++The roundup_t SELinux type can be entered via the "roundup_exec_t" file type. The default entrypoint paths for the roundup_t domain are the following:"
++
++/usr/bin/roundup-server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux roundup policy is very flexible allowing users to setup their roundup processes in as secure a method as possible.
++.PP
++The following process types are defined for roundup:
++
++.EX
++.B roundup_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -70517,27 +76260,9 @@ index 0000000..244f12e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux roundup policy is very flexible allowing users to setup their roundup processes in as secure a method as possible.
-+.PP
-+The following process types are defined for roundup:
-+
-+.EX
-+.B roundup_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type roundup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type roundup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B roundup_var_lib_t
@@ -70549,6 +76274,8 @@ index 0000000..244f12e
+.B roundup_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -70570,19 +76297,46 @@ index 0000000..244f12e
+selinux(8), roundup(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/rpcbind_selinux.8 b/man/man8/rpcbind_selinux.8
new file mode 100644
-index 0000000..93eab37
+index 0000000..f5b8c67
--- /dev/null
+++ b/man/man8/rpcbind_selinux.8
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,142 @@
+.TH "rpcbind_selinux" "8" "rpcbind" "dwalsh at redhat.com" "rpcbind SELinux Policy documentation"
+.SH "NAME"
+rpcbind_selinux \- Security Enhanced Linux Policy for the rpcbind processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rpcbind processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rpcbind processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rpcbind processes execute with the rpcbind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rpcbind_t
++
++
++.SH "ENTRYPOINTS"
++
++The rpcbind_t SELinux type can be entered via the "rpcbind_exec_t" file type. The default entrypoint paths for the rpcbind_t domain are the following:"
++
++/usr/sbin/rpcbind, /sbin/rpcbind
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible.
++.PP
++The following process types are defined for rpcbind:
++
++.EX
++.B rpcbind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -70646,27 +76400,9 @@ index 0000000..93eab37
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rpcbind:
-+
-+.EX
-+.B rpcbind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rpcbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rpcbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B rpcbind_var_lib_t
@@ -70686,6 +76422,8 @@ index 0000000..93eab37
+ /var/run/rpcbind\.sock
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -70707,33 +76445,46 @@ index 0000000..93eab37
+selinux(8), rpcbind(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/rpcd_selinux.8 b/man/man8/rpcd_selinux.8
new file mode 100644
-index 0000000..eac3330
+index 0000000..9e5d907
--- /dev/null
+++ b/man/man8/rpcd_selinux.8
-@@ -0,0 +1,174 @@
+@@ -0,0 +1,189 @@
+.TH "rpcd_selinux" "8" "rpcd" "dwalsh at redhat.com" "rpcd SELinux Policy documentation"
+.SH "NAME"
+rpcd_selinux \- Security Enhanced Linux Policy for the rpcd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rpcd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rpcd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rpcd processes execute with the rpcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep rpcd_t
+
++
++.SH "ENTRYPOINTS"
++
++The rpcd_t SELinux type can be entered via the "rpcd_exec_t" file type. The default entrypoint paths for the rpcd_t domain are the following:"
++
++/sbin/sm-notify, /usr/sbin/rpc\..*, /usr/sbin/rpc\.idmapd, /usr/sbin/sm-notify, /usr/sbin/rpc\.rquotad, /sbin/rpc\..*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the rpcd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rpcd policy is very flexible allowing users to setup their rpcd processes in as secure a method as possible.
++.PP
++The following process types are defined for rpcd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B rpcd_t, rpcbind_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -70797,27 +76548,9 @@ index 0000000..eac3330
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rpcd policy is very flexible allowing users to setup their rpcd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rpcd:
-+
-+.EX
-+.B rpcd_t, rpcbind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rpcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rpcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B quota_db_t
@@ -70838,6 +76571,10 @@ index 0000000..eac3330
+.br
+ /home/a?quota\.(user|group)
+.br
++ /home/dwalsh/a?quota\.(user|group)
++.br
++ /var/lib/xguest/home/xguest/a?quota\.(user|group)
++.br
+
+.br
+.B rgmanager_tmp_t
@@ -70865,6 +76602,22 @@ index 0000000..eac3330
+ /var/lib(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rpcd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -70888,33 +76641,46 @@ index 0000000..eac3330
\ No newline at end of file
diff --git a/man/man8/rpm_script_selinux.8 b/man/man8/rpm_script_selinux.8
new file mode 100644
-index 0000000..b3aa8e2
+index 0000000..70acddc
--- /dev/null
+++ b/man/man8/rpm_script_selinux.8
-@@ -0,0 +1,114 @@
+@@ -0,0 +1,125 @@
+.TH "rpm_script_selinux" "8" "rpm_script" "dwalsh at redhat.com" "rpm_script SELinux Policy documentation"
+.SH "NAME"
+rpm_script_selinux \- Security Enhanced Linux Policy for the rpm_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rpm_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rpm_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rpm_script processes execute with the rpm_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpm_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep rpm_script_t
+
++
++.SH "ENTRYPOINTS"
++
++The rpm_script_t SELinux type can be entered via the "proc_type,file_type,mtrr_device_t,sysctl_type,filesystem_type,bin_t,shell_exec_t,unlabeled_t" file types. The default entrypoint paths for the rpm_script_t domain are the following:"
++
++/dev/cpu/mtrr, /etc/ppp/ip-up\..*, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /usr/lib/virtualbox/VBoxManage, /usr/lib/.*/scripts(/.*)?, /etc/ppp/ip-down\..*, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/shorewall-perl(/.*)?, /usr/Brother(/.*)?, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/lib/mailman.*/mail(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/share/cluster/ocf-shellfuncs, /bin, /usr/lib/.*/program(/.*)?, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/apr-0/build/libtool, /usr/lib/pm-utils(/.*)?, /etc/sysconfig/network-scripts/net.*, /usr/share/system-config-language/system-config-language, /usr/lib/vte/gnome-pty-helper, /etc/lxdm/Pre.*, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/nagios/plugins(/.*)?, /usr/share/PackageKit/helpers(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/fence(/.*)?, /etc/sysconfig/network-scripts/init.*, /usr/lib/xulrunner[^/]*/updater, /etc/mcelog/cache-error-trigger, /usr/share
/system-config-mouse/system-config-mouse, /usr/share/system-config-netboot/pxeos\.py, /usr/share/cluster/.*\.sh, /usr/lib/udev/devices/MAKEDEV, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/mc/extfs/.*, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /var/qmail/rc, /var/mailman.*/bin(/.*)?, /usr/share/system-config-nfs/system-config-nfs\.py, /sbin, /usr/share/texmf/web2c/mktexupd, /usr/lib/readahead(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/xen/bin(/.*)?, /usr/share/Modules/init(/.*)?, /var/qmail/bin, /opt/google/talkplugin(/.*)?, /etc/profile.d(/.*)?, /usr/share/hwbrowser/hwbrowser, /usr/share/dayplanner/dayplanner, /usr/lib/nspluginwrapper/np.*, /usr/share/printconf/util/print\.py, /usr/lib/[^/]*/run-mozilla\.sh, /usr/linuxprinter/filters(/.*)?, /usr/share/system-config-network/neat-control\.py, /usr/lib/[^/]*/mozilla-xremote-client, /usr/share/hal/scripts(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/share/system-config-selinux/polgen\.py, /usr/lib(.*/)?sbin(/.*)?,
/lib/udev/devices/MAKEDEV, /etc/vmware-tools(/.*)?, /etc/PackageKit/events(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /usr/share/sectool/.*\.py, /etc/pki/tls/certs/make-dummy-cert, /usr/lib/rpm/rpmd, /usr/lib/tuned/.*/.*\.sh, /usr/share/cluster/svclib_nfslock, /usr/libexec(/.*)?, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/apr-0/build/[^/]+\.sh, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /bin/mountpoint, /usr/share/rhn/rhn_applet/needed-packages\.py, /lib/security/pam_krb5(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/rpm/rpmk, /etc/apcupsd/commok, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/clamav/freshclam-sleep, /usr/lib/mediawiki/math/texvc.*, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/xfce4(/.*)?, /usr/share/system-config-services/system-config-services, /opt/(.*/)?libexec(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /usr/lib/debug/sbin(/.*)?, /etc/sysconfig/libvirtd, /etc/cron.weekly(/.*)?, /usr/lib/ccache/bin(/.*)?, /sbin/.*, /var/lib/asteri
sk/agi-bin(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /usr/lib/yp/.+, /usr/share/wicd/daemon(/.*)?, /etc/ppp/ipv6-up\..*, /etc/acpi/actions(/.*)?, /etc/sysconfig/network-scripts/ifdown.*, /usr/share/cluster/SAPDatabase, /usr/share/system-config-soundcard/system-config-soundcard, /usr/lib/udev/scsi_id, /etc/pm/power\.d(/.*)?, /usr/share/system-config-services/gui\.py, /etc/lxdm/Xsession, /usr/lib/cyrus-imapd/.*, /usr/sbin/insmod_ksymoops_clean, /etc/cipe/ip-down.*, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/share/shorewall/compiler\.pl, /usr/share/pydict/pydict\.py, /dev/MAKEDEV, /usr/share/shorewall-shell(/.*)?, /emul/ia32-linux/bin(/.*)?, /root/bin(/.*)?, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/system-config-selinux\.py, /etc/ppp/ipv6-down\..*, /usr/share/pwlib/make/ptlib-config, /usr/lib/ConsoleKit/scripts(/.*)?, /opt/(.*/)?bin(/.*)?, /etc/init\.d/functions, /lib/readahead(/.*)?, /etc/apcupsd/apccontrol, /usr/share/sys
tem-config-samba/system-config-samba\.py, /usr/lib/misc/sftp-server, /etc/apcupsd/onbattery, /usr/lib/qt.*/bin(/.*)?, /usr/share/cvs/contrib/rcs2log, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/fedora-usermgmt/wrapper, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/share/ssl/misc(/.*)?, /etc/apcupsd/changeme, /etc/apcupsd/offbattery, /etc/apcupsd/commfailure, /etc/sysconfig/readonly-root, /etc/cron.monthly(/.*)?, /var/ftp/bin(/.*)?, /usr/lib/xfce4/xfwm4/helper-dialog, /usr/lib/iscan/network, /usr/share/shorewall-lite(/.*)?, /usr/Printer(/.*)?, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/lib/news/bin(/.*)?, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-netboot/pxeboot\.py, /etc/auto\.[^/]*, /usr/Brother/(.*/)?inf/brprintconf.*, /etc/apcupsd/masterconnect, /etc/avahi/.*\.action, /usr/lib/netsaint/plugins(/.*)?, /usr/sh
are/authconfig/authconfig-tui\.py, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/lib/dracut(/.*)?, /usr/share/kde4/apps/kajongg/kajongg.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/selinux/devel/policygentool, /etc/mail/make, /usr/lib/debug/usr/libexec(/.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/libexec/openssh/sftp-server, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/chromium-browser(/.*)?, /etc/sysconfig/init, /usr/share/system-logviewer/system-logviewer\.py, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /usr/lib/wicd/monitor\.py, /etc/pki/tls/misc(/.*)?, /etc/cron.hourly(/.*)?, /etc/xen/qemu-ifup, /usr/share/system-config-services/serviceconf\.py, /usr/share/tucan.*/tucan.py, /usr/lib/portage/bin(/.*)?, /etc/lxdm/LoginReady, /etc/mcelog/triggers(/.*)?, /usr/share/texmf/web2c/mktexnam, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/apt/methods.+, /etc/rc\.d/init\.d/functi
ons, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /etc/kde/shutdown(/.*)?, /usr/lib/cups(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /usr/share/gnucash/finance-quote-helper, /etc/cron.daily(/.*)?, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/lib/rpm/rpmv, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/munin/plugins(/.*)?, /usr/share/clamav/clamd-gen, /etc/lxdm/Post.*, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /etc/hotplug/.*agent, /usr/lib/emacsen-common/.*, /usr/lib/jvm/java(.*/)bin(/.*), /etc/sysconfig/network-scripts/ifup.*, /usr/lib/xfce4/xfconf/xfconfd, /usr/lib/MailScanner(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/share/ajaxterm/qweb.py.*, /usr/share/switchdesk/switchdesk-gui\.py, /usr/lib/ipsec/.*, /usr/share/turboprint/lib(/.*)?, /usr/sbin/mkfs\.cramfs, /var/qmail/bin(/.*)?, /etc/sysconfig/crond, /usr/share/hplip/[^/]*, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/debconf/.+, /usr/share/shorewall/configpath, /usr/bin/pingus.*, /etc/ho
tplug/hotplug\.functions, /usr/lib/mailman.*/bin(/.*)?, /usr/share/texmf/web2c/mktexdir, /usr/share/gnucash/finance-quote-check, /etc/redhat-lsb(/.*)?, /usr/X11R6/lib/X11/xkb/xkbcomp, /etc/gdm/[^/]+, /opt/google/chrome(/.*)?, /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/dpkg/.+, /usr/share/sandbox/sandboxX.sh, /etc/cipe/ip-up.*, /usr/lib/udev/[^/]*, /usr/bin/mountpoint, /lib/udev/scsi_id, /bin/.*, /emul/ia32-linux/sbin(/.*)?, /var/lib/iscan/interpreter, /etc/dhcp/dhclient\.d(/.*)?, /etc/racoon/scripts(/.*)?, /opt/(.*/)?sbin(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/spamassassin/sa-update\.cron, /usr/share/rhn/rhn_applet/applet\.py, /etc/X11/xdm/TakeConsole, /usr/(.*/)?sbin(/.*)?, /etc/X11/xinit(/.*)?, /usr/share/shorewall/getparams, /usr/share/cluster/checkquorum, /etc/X11/xdm/GiveConsole, /usr/lib/xfce4/session/xfsm-shutdown-helper, /lib/upstart(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/gdm/[^/]+/.*, /usr/share/system-config-httpd/system-config-httpd, /usr/lib/upstart(/.*)
?, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/system-config-users/system-config-users, /etc/mgetty\+sendfax/new_fax, /usr/lib/debug/bin(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /etc/hotplug/.*rc, /usr/lib/courier(/.*)?, /etc/X11/xdm/Xsetup_0, /etc/netplug\.d(/.*)?, /usr/Brother/(.*/)?inf/setup.*, /usr/lib/xfce4/session/balou-install-theme, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/smolt/client(/.*)?, /usr/bin, /etc/sysconfig/netconsole, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/xfce4/panel/migrate, /usr/share/ajaxterm/ajaxterm.py.*, /sbin/mkfs\.cramfs, /usr/share/authconfig/authconfig\.py, /usr/share/system-config-date/system-config-date\.py, /usr/share/virtualbox/.*\.sh, /etc/apcupsd/mastertimeout, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/texmf/texconfig/tcfmgr, /etc/kde/env(/.*)?, /usr/lib/rpm/rpmq, /sbin/insmod_ksymoops_clean, /usr/lib/xfce4/panel/wrapper, /usr/share/system-config-printer/applet
\.py, /etc/hotplug\.d/default/default.*, /usr/lib(.*/)?bin(/.*)?, /usr/share/gitolite/hooks/common/update, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /usr/lib/sftp-server, /usr/share/system-config-display/system-config-display, /lib/udev/[^/]*, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/denyhosts/scripts(/.*)?, /usr/share/createrepo(/.*)?, /usr/lib/yaboot/addnote, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/share/cluster/SAPInstance, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the rpm_script_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rpm_script policy is very flexible allowing users to setup their rpm_script processes in as secure a method as possible.
++.PP
++The following process types are defined for rpm_script:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B rpm_script_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -70958,27 +76724,9 @@ index 0000000..b3aa8e2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rpm_script policy is very flexible allowing users to setup their rpm_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rpm_script:
-+
-+.EX
-+.B rpm_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rpm_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rpm_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B file_type
@@ -70986,6 +76734,22 @@ index 0000000..b3aa8e2
+ all files on the system
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpm_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rpm_script_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -71005,37 +76769,50 @@ index 0000000..b3aa8e2
+
+.SH "SEE ALSO"
+selinux(8), rpm_script(8), semanage(8), restorecon(8), chcon(1)
-+, rpm_selinux(8)
++, rpm_selinux(8), rpm_selinux(8)
\ No newline at end of file
diff --git a/man/man8/rpm_selinux.8 b/man/man8/rpm_selinux.8
new file mode 100644
-index 0000000..0a187e3
+index 0000000..7eb20b2
--- /dev/null
+++ b/man/man8/rpm_selinux.8
-@@ -0,0 +1,194 @@
+@@ -0,0 +1,205 @@
+.TH "rpm_selinux" "8" "rpm" "dwalsh at redhat.com" "rpm SELinux Policy documentation"
+.SH "NAME"
+rpm_selinux \- Security Enhanced Linux Policy for the rpm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rpm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rpm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rpm processes execute with the rpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpm_script_t, rpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep rpm_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The rpm_t SELinux type can be entered via the "proc_type,rpm_script_exec_t,file_type,mtrr_device_t,sysctl_type,filesystem_type,rpm_exec_t,debuginfo_exec_t,unlabeled_t" file types. The default entrypoint paths for the rpm_t domain are the following:"
++
++/dev/cpu/mtrr, /usr/bin/apt-get, /usr/sbin/bcfg2, /usr/sbin/rhn_check, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/synaptic, /usr/share/yumex/yumex-yum-backend, /usr/bin/apt-shell, /usr/sbin/yum-updatesd, /usr/sbin/pup, /usr/libexec/packagekitd, /usr/libexec/yumDBUSBackend.py, /usr/sbin/pirut, /usr/bin/package-cleanup, /bin/rpm, /usr/bin/yum, /usr/sbin/system-install-packages, /usr/bin/zif, /usr/bin/rpm, /usr/sbin/yum-complete-transaction, /usr/bin/smart, /usr/sbin/packagekitd, /usr/bin/fedora-rmdevelrpms, /usr/sbin/rhnreg_ks, /usr/share/yumex/yum_childtask\.py, /usr/sbin/up2date, /usr/bin/dnf, /usr/bin/debuginfo-install
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the rpm_script_t, rpm_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rpm policy is very flexible allowing users to setup their rpm processes in as secure a method as possible.
++.PP
++The following process types are defined for rpm:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B rpm_t, rpm_script_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -71058,7 +76835,7 @@ index 0000000..0a187e3
+.br
+.TP 5
+Paths:
-+/usr/bin/apt-get, /usr/sbin/bcfg2, /usr/sbin/rhn_check, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/synaptic, /usr/share/yumex/yumex-yum-backend, /usr/bin/apt-shell, /usr/sbin/yum-updatesd, /usr/sbin/pup, /usr/libexec/packagekitd, /usr/libexec/yumDBUSBackend.py, /usr/sbin/pirut, /usr/bin/package-cleanup, /bin/rpm, /usr/bin/yum, /usr/sbin/system-install-packages, /usr/bin/zif, /usr/bin/rpm, /usr/sbin/yum-complete-transaction, /usr/bin/smart, /usr/sbin/packagekitd, /usr/bin/fedora-rmdevelrpms, /usr/sbin/rhnreg_ks, /usr/share/yumex/yum_childtask\.py, /usr/sbin/up2date
++/usr/bin/apt-get, /usr/sbin/bcfg2, /usr/sbin/rhn_check, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/synaptic, /usr/share/yumex/yumex-yum-backend, /usr/bin/apt-shell, /usr/sbin/yum-updatesd, /usr/sbin/pup, /usr/libexec/packagekitd, /usr/libexec/yumDBUSBackend.py, /usr/sbin/pirut, /usr/bin/package-cleanup, /bin/rpm, /usr/bin/yum, /usr/sbin/system-install-packages, /usr/bin/zif, /usr/bin/rpm, /usr/sbin/yum-complete-transaction, /usr/bin/smart, /usr/sbin/packagekitd, /usr/bin/fedora-rmdevelrpms, /usr/sbin/rhnreg_ks, /usr/share/yumex/yum_childtask\.py, /usr/sbin/up2date, /usr/bin/dnf
+
+.EX
+.PP
@@ -71159,27 +76936,9 @@ index 0000000..0a187e3
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rpm policy is very flexible allowing users to setup their rpm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rpm:
-+
-+.EX
-+.B rpm_t, rpm_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B file_type
@@ -71187,6 +76946,22 @@ index 0000000..0a187e3
+ all files on the system
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpm_script_t, rpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rpm_script_t, rpm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -71210,33 +76985,46 @@ index 0000000..0a187e3
\ No newline at end of file
diff --git a/man/man8/rshd_selinux.8 b/man/man8/rshd_selinux.8
new file mode 100644
-index 0000000..7976243
+index 0000000..78b6298
--- /dev/null
+++ b/man/man8/rshd_selinux.8
-@@ -0,0 +1,279 @@
+@@ -0,0 +1,302 @@
+.TH "rshd_selinux" "8" "rshd" "dwalsh at redhat.com" "rshd SELinux Policy documentation"
+.SH "NAME"
+rshd_selinux \- Security Enhanced Linux Policy for the rshd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rshd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rshd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rshd processes execute with the rshd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rshd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep rshd_t
++
++
++.SH "ENTRYPOINTS"
+
++The rshd_t SELinux type can be entered via the "rshd_exec_t" file type. The default entrypoint paths for the rshd_t domain are the following:"
++
++/usr/sbin/in\.rshd, /usr/kerberos/sbin/kshd, /usr/sbin/in\.rexecd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the rshd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible.
++.PP
++The following process types are defined for rshd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B rshd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -71299,27 +77087,9 @@ index 0000000..7976243
+Default Defined Ports:
+tcp 514
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rshd:
-+
-+.EX
-+.B rshd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rshd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rshd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auth_cache_t
@@ -71338,6 +77108,14 @@ index 0000000..7976243
+.br
+ /home/[^/]*/\.google_authenticator~
+.br
++ /home/dwalsh/\.google_authenticator
++.br
++ /home/dwalsh/\.google_authenticator~
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator~
++.br
+
+.br
+.B cgroup_t
@@ -71438,6 +77216,10 @@ index 0000000..7976243
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
+
+.br
+.B user_tmp_type
@@ -71471,6 +77253,22 @@ index 0000000..7976243
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rshd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rshd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -71495,33 +77293,46 @@ index 0000000..7976243
+selinux(8), rshd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/rssh_chroot_helper_selinux.8 b/man/man8/rssh_chroot_helper_selinux.8
new file mode 100644
-index 0000000..dc6b17f
+index 0000000..c27131b
--- /dev/null
+++ b/man/man8/rssh_chroot_helper_selinux.8
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,103 @@
+.TH "rssh_chroot_helper_selinux" "8" "rssh_chroot_helper" "dwalsh at redhat.com" "rssh_chroot_helper SELinux Policy documentation"
+.SH "NAME"
+rssh_chroot_helper_selinux \- Security Enhanced Linux Policy for the rssh_chroot_helper processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rssh_chroot_helper processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rssh_chroot_helper processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rssh_chroot_helper processes execute with the rssh_chroot_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep rssh_chroot_helper_t
++
++
++.SH "ENTRYPOINTS"
+
++The rssh_chroot_helper_t SELinux type can be entered via the "rssh_chroot_helper_exec_t" file type. The default entrypoint paths for the rssh_chroot_helper_t domain are the following:"
++
++/usr/libexec/rssh_chroot_helper
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rssh_chroot_helper policy is very flexible allowing users to setup their rssh_chroot_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for rssh_chroot_helper:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B rssh_chroot_helper_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -71549,27 +77360,25 @@ index 0000000..dc6b17f
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type rssh_chroot_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rssh_chroot_helper policy is very flexible allowing users to setup their rssh_chroot_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rssh_chroot_helper:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B rssh_chroot_helper_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type rssh_chroot_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -71590,37 +77399,50 @@ index 0000000..dc6b17f
+
+.SH "SEE ALSO"
+selinux(8), rssh_chroot_helper(8), semanage(8), restorecon(8), chcon(1)
-+, rssh_selinux(8)
++, rssh_selinux(8), rssh_selinux(8)
\ No newline at end of file
diff --git a/man/man8/rssh_selinux.8 b/man/man8/rssh_selinux.8
new file mode 100644
-index 0000000..e7179dd
+index 0000000..fa82146
--- /dev/null
+++ b/man/man8/rssh_selinux.8
-@@ -0,0 +1,120 @@
+@@ -0,0 +1,131 @@
+.TH "rssh_selinux" "8" "rssh" "dwalsh at redhat.com" "rssh SELinux Policy documentation"
+.SH "NAME"
+rssh_selinux \- Security Enhanced Linux Policy for the rssh processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rssh processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rssh processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rssh processes execute with the rssh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep rssh_t
++
++
++.SH "ENTRYPOINTS"
++
++The rssh_t SELinux type can be entered via the "rssh_exec_t" file type. The default entrypoint paths for the rssh_t domain are the following:"
+
++/usr/bin/rssh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rssh policy is very flexible allowing users to setup their rssh processes in as secure a method as possible.
++.PP
++The following process types are defined for rssh:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B rssh_t, rssh_chroot_helper_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -71672,32 +77494,30 @@ index 0000000..e7179dd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rssh policy is very flexible allowing users to setup their rssh processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rssh:
-+
-+.EX
-+.B rssh_t, rssh_chroot_helper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B rssh_rw_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -71720,10 +77540,10 @@ index 0000000..e7179dd
+, rssh_chroot_helper_selinux(8)
\ No newline at end of file
diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
-index ad9ccf5..f0b5a28 100644
+index ad9ccf5..f383d90 100644
--- a/man/man8/rsync_selinux.8
+++ b/man/man8/rsync_selinux.8
-@@ -1,52 +1,244 @@
+@@ -1,52 +1,255 @@
-.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "rsync Selinux Policy documentation"
-.de EX
-.nf
@@ -71740,8 +77560,7 @@ index ad9ccf5..f0b5a28 100644
.SH "DESCRIPTION"
-Security-Enhanced Linux secures the rsync server via flexible mandatory access
-+Security-Enhanced Linux secures the rsync processes via flexible mandatory access
- control.
+-control.
-.SH FILE_CONTEXTS
-SELinux requires files to have an extended attribute to define the file type.
-Policy governs the access daemons have to these files.
@@ -71752,6 +77571,37 @@ index ad9ccf5..f0b5a28 100644
-.TP
-.TP
-To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
++Security-Enhanced Linux secures the rsync processes via flexible mandatory access control.
++
++The rsync processes execute with the rsync_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rsync_t
++
++
++.SH "ENTRYPOINTS"
++
++The rsync_t SELinux type can be entered via the "rsync_exec_t" file type. The default entrypoint paths for the rsync_t domain are the following:"
++
++/usr/bin/rsync
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible.
++.PP
++The following process types are defined for rsync:
++
++.EX
++.B rsync_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. rsync policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rsync with the tightest access possible.
@@ -71792,22 +77642,6 @@ index ad9ccf5..f0b5a28 100644
+.B setsebool -P rsync_use_cifs 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rsync_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rsync_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
.TP
@@ -71938,27 +77772,9 @@ index ad9ccf5..f0b5a28 100644
+.EE
+udp 873
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rsync:
-+
-+.EX
-+.B rsync_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rsync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rsync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B rsync_log_t
@@ -71976,6 +77792,22 @@ index ad9ccf5..f0b5a28 100644
+ /var/run/rsyncd\.lock
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rsync_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rsync_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -72007,33 +77839,46 @@ index ad9ccf5..f0b5a28 100644
\ No newline at end of file
diff --git a/man/man8/rtkit_daemon_selinux.8 b/man/man8/rtkit_daemon_selinux.8
new file mode 100644
-index 0000000..3901756
+index 0000000..21faacf
--- /dev/null
+++ b/man/man8/rtkit_daemon_selinux.8
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,106 @@
+.TH "rtkit_daemon_selinux" "8" "rtkit_daemon" "dwalsh at redhat.com" "rtkit_daemon SELinux Policy documentation"
+.SH "NAME"
+rtkit_daemon_selinux \- Security Enhanced Linux Policy for the rtkit_daemon processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rtkit_daemon processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rtkit_daemon processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rtkit_daemon processes execute with the rtkit_daemon_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rtkit_daemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep rtkit_daemon_t
++
++
++.SH "ENTRYPOINTS"
++
++The rtkit_daemon_t SELinux type can be entered via the "rtkit_daemon_exec_t" file type. The default entrypoint paths for the rtkit_daemon_t domain are the following:"
+
++/usr/libexec/rtkit-daemon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the rtkit_daemon_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rtkit_daemon policy is very flexible allowing users to setup their rtkit_daemon processes in as secure a method as possible.
++.PP
++The following process types are defined for rtkit_daemon:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B rtkit_daemon_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -72061,32 +77906,30 @@ index 0000000..3901756
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rtkit_daemon policy is very flexible allowing users to setup their rtkit_daemon processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rtkit_daemon:
-+
-+.EX
-+.B rtkit_daemon_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rtkit_daemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rtkit_daemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rtkit_daemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the rtkit_daemon_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -72108,33 +77951,46 @@ index 0000000..3901756
+selinux(8), rtkit_daemon(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/run_init_selinux.8 b/man/man8/run_init_selinux.8
new file mode 100644
-index 0000000..ba67797
+index 0000000..923bb8a
--- /dev/null
+++ b/man/man8/run_init_selinux.8
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,146 @@
+.TH "run_init_selinux" "8" "run_init" "dwalsh at redhat.com" "run_init SELinux Policy documentation"
+.SH "NAME"
+run_init_selinux \- Security Enhanced Linux Policy for the run_init processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the run_init processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the run_init processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The run_init processes execute with the run_init_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the run_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep run_init_t
+
++
++.SH "ENTRYPOINTS"
++
++The run_init_t SELinux type can be entered via the "run_init_exec_t" file type. The default entrypoint paths for the run_init_t domain are the following:"
++
++/usr/sbin/run_init
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the run_init_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux run_init policy is very flexible allowing users to setup their run_init processes in as secure a method as possible.
++.PP
++The following process types are defined for run_init:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B run_init_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -72162,27 +78018,9 @@ index 0000000..ba67797
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux run_init policy is very flexible allowing users to setup their run_init processes in as secure a method as possible.
-+.PP
-+The following process types are defined for run_init:
-+
-+.EX
-+.B run_init_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type run_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type run_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -72228,6 +78066,22 @@ index 0000000..ba67797
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the run_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the run_init_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -72249,19 +78103,46 @@ index 0000000..ba67797
+selinux(8), run_init(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/rwho_selinux.8 b/man/man8/rwho_selinux.8
new file mode 100644
-index 0000000..e319c86
+index 0000000..71795f3
--- /dev/null
+++ b/man/man8/rwho_selinux.8
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,150 @@
+.TH "rwho_selinux" "8" "rwho" "dwalsh at redhat.com" "rwho SELinux Policy documentation"
+.SH "NAME"
+rwho_selinux \- Security Enhanced Linux Policy for the rwho processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rwho processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the rwho processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The rwho processes execute with the rwho_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep rwho_t
++
++
++.SH "ENTRYPOINTS"
++
++The rwho_t SELinux type can be entered via the "rwho_exec_t" file type. The default entrypoint paths for the rwho_t domain are the following:"
++
++/usr/sbin/rwhod
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
++.PP
++The following process types are defined for rwho:
++
++.EX
++.B rwho_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -72336,27 +78217,9 @@ index 0000000..e319c86
+Default Defined Ports:
+udp 513
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
-+.PP
-+The following process types are defined for rwho:
-+
-+.EX
-+.B rwho_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type rwho_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type rwho_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B rwho_log_t
@@ -72370,6 +78233,8 @@ index 0000000..e319c86
+ /var/spool/rwho(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -72394,33 +78259,46 @@ index 0000000..e319c86
+selinux(8), rwho(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/samba_net_selinux.8 b/man/man8/samba_net_selinux.8
new file mode 100644
-index 0000000..63b3384
+index 0000000..8436edf
--- /dev/null
+++ b/man/man8/samba_net_selinux.8
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,153 @@
+.TH "samba_net_selinux" "8" "samba_net" "dwalsh at redhat.com" "samba_net SELinux Policy documentation"
+.SH "NAME"
+samba_net_selinux \- Security Enhanced Linux Policy for the samba_net processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the samba_net processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the samba_net processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The samba_net processes execute with the samba_net_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the samba_net_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep samba_net_t
++
++
++.SH "ENTRYPOINTS"
++
++The samba_net_t SELinux type can be entered via the "samba_net_exec_t" file type. The default entrypoint paths for the samba_net_t domain are the following:"
+
++/usr/bin/net
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the samba_net_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux samba_net policy is very flexible allowing users to setup their samba_net processes in as secure a method as possible.
++.PP
++The following process types are defined for samba_net:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B samba_net_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -72456,27 +78334,9 @@ index 0000000..63b3384
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux samba_net policy is very flexible allowing users to setup their samba_net processes in as secure a method as possible.
-+.PP
-+The following process types are defined for samba_net:
-+
-+.EX
-+.B samba_net_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type samba_net_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type samba_net_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auth_cache_t
@@ -72520,6 +78380,22 @@ index 0000000..63b3384
+ /var/spool/samba(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the samba_net_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the samba_net_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -72539,6 +78415,8 @@ index 0000000..63b3384
+
+.SH "SEE ALSO"
+selinux(8), samba_net(8), semanage(8), restorecon(8), chcon(1)
++, samba_unconfined_script_selinux(8), sambagui_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
deleted file mode 100644
index ca702c7..0000000
@@ -72603,19 +78481,46 @@ index ca702c7..0000000
-selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
diff --git a/man/man8/samba_unconfined_script_selinux.8 b/man/man8/samba_unconfined_script_selinux.8
new file mode 100644
-index 0000000..7006cb4
+index 0000000..5ee2f4c
--- /dev/null
+++ b/man/man8/samba_unconfined_script_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,89 @@
+.TH "samba_unconfined_script_selinux" "8" "samba_unconfined_script" "dwalsh at redhat.com" "samba_unconfined_script SELinux Policy documentation"
+.SH "NAME"
+samba_unconfined_script_selinux \- Security Enhanced Linux Policy for the samba_unconfined_script processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the samba_unconfined_script processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the samba_unconfined_script processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The samba_unconfined_script processes execute with the samba_unconfined_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep samba_unconfined_script_t
++
++
++.SH "ENTRYPOINTS"
++
++The samba_unconfined_script_t SELinux type can be entered via the "samba_unconfined_script_exec_t,shell_exec_t" file types. The default entrypoint paths for the samba_unconfined_script_t domain are the following:"
++
++/var/lib/samba/scripts(/.*)?, /usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux samba_unconfined_script policy is very flexible allowing users to setup their samba_unconfined_script processes in as secure a method as possible.
++.PP
++The following process types are defined for samba_unconfined_script:
++
++.EX
++.B samba_unconfined_script_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -72643,27 +78548,11 @@ index 0000000..7006cb4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux samba_unconfined_script policy is very flexible allowing users to setup their samba_unconfined_script processes in as secure a method as possible.
-+.PP
-+The following process types are defined for samba_unconfined_script:
-+
-+.EX
-+.B samba_unconfined_script_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type samba_unconfined_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type samba_unconfined_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -72684,35 +78573,50 @@ index 0000000..7006cb4
+
+.SH "SEE ALSO"
+selinux(8), samba_unconfined_script(8), semanage(8), restorecon(8), chcon(1)
++, samba_net_selinux(8), sambagui_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/sambagui_selinux.8 b/man/man8/sambagui_selinux.8
new file mode 100644
-index 0000000..0620dd4
+index 0000000..76d2ac6
--- /dev/null
+++ b/man/man8/sambagui_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,126 @@
+.TH "sambagui_selinux" "8" "sambagui" "dwalsh at redhat.com" "sambagui SELinux Policy documentation"
+.SH "NAME"
+sambagui_selinux \- Security Enhanced Linux Policy for the sambagui processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sambagui processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sambagui processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sambagui processes execute with the sambagui_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sambagui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep sambagui_t
+
++
++.SH "ENTRYPOINTS"
++
++The sambagui_t SELinux type can be entered via the "sambagui_exec_t" file type. The default entrypoint paths for the sambagui_t domain are the following:"
++
++/usr/share/system-config-samba/system-config-samba-mechanism.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the sambagui_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sambagui policy is very flexible allowing users to setup their sambagui processes in as secure a method as possible.
++.PP
++The following process types are defined for sambagui:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B sambagui_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -72740,27 +78644,9 @@ index 0000000..0620dd4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sambagui policy is very flexible allowing users to setup their sambagui processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sambagui:
-+
-+.EX
-+.B sambagui_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sambagui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sambagui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B samba_etc_t
@@ -72786,6 +78672,22 @@ index 0000000..0620dd4
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sambagui_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sambagui_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -72986,17 +78888,46 @@ index 0000000..759c807
\ No newline at end of file
diff --git a/man/man8/sanlock_selinux.8 b/man/man8/sanlock_selinux.8
new file mode 100644
-index 0000000..81d9aa7
+index 0000000..5c289a0
--- /dev/null
+++ b/man/man8/sanlock_selinux.8
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,182 @@
+.TH "sanlock_selinux" "8" "sanlock" "dwalsh at redhat.com" "sanlock SELinux Policy documentation"
+.SH "NAME"
+sanlock_selinux \- Security Enhanced Linux Policy for the sanlock processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sanlock processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sanlock processes via flexible mandatory access control.
++
++The sanlock processes execute with the sanlock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sanlock_t
++
++
++.SH "ENTRYPOINTS"
++
++The sanlock_t SELinux type can be entered via the "sanlock_exec_t" file type. The default entrypoint paths for the sanlock_t domain are the following:"
++
++/usr/sbin/sanlock
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sanlock policy is very flexible allowing users to setup their sanlock processes in as secure a method as possible.
++.PP
++The following process types are defined for sanlock:
++
++.EX
++.B sanlock_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. sanlock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sanlock with the tightest access possible.
@@ -73030,22 +78961,6 @@ index 0000000..81d9aa7
+.B setsebool -P sanlock_use_samba 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sanlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sanlock_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -73096,27 +79011,9 @@ index 0000000..81d9aa7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sanlock policy is very flexible allowing users to setup their sanlock processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sanlock:
-+
-+.EX
-+.B sanlock_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sanlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sanlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sanlock_log_t
@@ -73138,6 +79035,22 @@ index 0000000..81d9aa7
+ /var/lib/libvirt(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sanlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sanlock_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -73164,43 +79077,56 @@ index 0000000..81d9aa7
\ No newline at end of file
diff --git a/man/man8/saslauthd_selinux.8 b/man/man8/saslauthd_selinux.8
new file mode 100644
-index 0000000..7569230
+index 0000000..aff4491
--- /dev/null
+++ b/man/man8/saslauthd_selinux.8
-@@ -0,0 +1,202 @@
+@@ -0,0 +1,213 @@
+.TH "saslauthd_selinux" "8" "saslauthd" "dwalsh at redhat.com" "saslauthd SELinux Policy documentation"
+.SH "NAME"
+saslauthd_selinux \- Security Enhanced Linux Policy for the saslauthd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the saslauthd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the saslauthd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. saslauthd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run saslauthd with the tightest access possible.
++The saslauthd processes execute with the saslauthd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow sasl to read shadow, you must turn on the saslauthd_read_shadow boolean.
++.B ps -eZ | grep saslauthd_t
+
-+.EX
-+.B setsebool -P saslauthd_read_shadow 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The saslauthd_t SELinux type can be entered via the "saslauthd_exec_t" file type. The default entrypoint paths for the saslauthd_t domain are the following:"
++
++/usr/sbin/saslauthd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the saslauthd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux saslauthd policy is very flexible allowing users to setup their saslauthd processes in as secure a method as possible.
++.PP
++The following process types are defined for saslauthd:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B saslauthd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. saslauthd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run saslauthd with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the saslauthd_t, you must turn on the kerberos_enabled boolean.
++If you want to allow sasl to read shadow, you must turn on the saslauthd_read_shadow boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P saslauthd_read_shadow 1
+.EE
+
+.SH FILE CONTEXTS
@@ -73257,27 +79183,9 @@ index 0000000..7569230
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux saslauthd policy is very flexible allowing users to setup their saslauthd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for saslauthd:
-+
-+.EX
-+.B saslauthd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type saslauthd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type saslauthd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -73347,6 +79255,22 @@ index 0000000..7569230
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the saslauthd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the saslauthd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -73373,19 +79297,46 @@ index 0000000..7569230
\ No newline at end of file
diff --git a/man/man8/sblim_gatherd_selinux.8 b/man/man8/sblim_gatherd_selinux.8
new file mode 100644
-index 0000000..4e2573c
+index 0000000..62a360d
--- /dev/null
+++ b/man/man8/sblim_gatherd_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,95 @@
+.TH "sblim_gatherd_selinux" "8" "sblim_gatherd" "dwalsh at redhat.com" "sblim_gatherd SELinux Policy documentation"
+.SH "NAME"
+sblim_gatherd_selinux \- Security Enhanced Linux Policy for the sblim_gatherd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sblim_gatherd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sblim_gatherd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sblim_gatherd processes execute with the sblim_gatherd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sblim_gatherd_t
++
++
++.SH "ENTRYPOINTS"
++
++The sblim_gatherd_t SELinux type can be entered via the "sblim_gatherd_exec_t" file type. The default entrypoint paths for the sblim_gatherd_t domain are the following:"
++
++/usr/sbin/gatherd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sblim_gatherd policy is very flexible allowing users to setup their sblim_gatherd processes in as secure a method as possible.
++.PP
++The following process types are defined for sblim_gatherd:
++
++.EX
++.B sblim_gatherd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -73413,27 +79364,9 @@ index 0000000..4e2573c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sblim_gatherd policy is very flexible allowing users to setup their sblim_gatherd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sblim_gatherd:
-+
-+.EX
-+.B sblim_gatherd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sblim_gatherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sblim_gatherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sblim_var_run_t
@@ -73441,6 +79374,8 @@ index 0000000..4e2573c
+ /var/run/gather(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -73460,21 +79395,50 @@ index 0000000..4e2573c
+
+.SH "SEE ALSO"
+selinux(8), sblim_gatherd(8), semanage(8), restorecon(8), chcon(1)
++, sblim_reposd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/sblim_reposd_selinux.8 b/man/man8/sblim_reposd_selinux.8
new file mode 100644
-index 0000000..3d7b830
+index 0000000..593dffc
--- /dev/null
+++ b/man/man8/sblim_reposd_selinux.8
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,95 @@
+.TH "sblim_reposd_selinux" "8" "sblim_reposd" "dwalsh at redhat.com" "sblim_reposd SELinux Policy documentation"
+.SH "NAME"
+sblim_reposd_selinux \- Security Enhanced Linux Policy for the sblim_reposd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sblim_reposd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sblim_reposd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sblim_reposd processes execute with the sblim_reposd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sblim_reposd_t
++
++
++.SH "ENTRYPOINTS"
++
++The sblim_reposd_t SELinux type can be entered via the "sblim_reposd_exec_t" file type. The default entrypoint paths for the sblim_reposd_t domain are the following:"
++
++/usr/sbin/reposd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sblim_reposd policy is very flexible allowing users to setup their sblim_reposd processes in as secure a method as possible.
++.PP
++The following process types are defined for sblim_reposd:
++
++.EX
++.B sblim_reposd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -73502,27 +79466,9 @@ index 0000000..3d7b830
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sblim_reposd policy is very flexible allowing users to setup their sblim_reposd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sblim_reposd:
-+
-+.EX
-+.B sblim_reposd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sblim_reposd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sblim_reposd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sblim_var_run_t
@@ -73530,6 +79476,8 @@ index 0000000..3d7b830
+ /var/run/gather(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -73549,12 +79497,14 @@ index 0000000..3d7b830
+
+.SH "SEE ALSO"
+selinux(8), sblim_reposd(8), semanage(8), restorecon(8), chcon(1)
++, sblim_gatherd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/secadm_selinux.8 b/man/man8/secadm_selinux.8
new file mode 100644
-index 0000000..b3b1b75
+index 0000000..f7ae221
--- /dev/null
+++ b/man/man8/secadm_selinux.8
-@@ -0,0 +1,306 @@
+@@ -0,0 +1,330 @@
+.TH "secadm_selinux" "8" "secadm" "mgrepl at redhat.com" "secadm SELinux Policy documentation"
+.SH "NAME"
+secadm_r \- \fBSecurity administrator role\fP - Security Enhanced Linux Policy
@@ -73608,7 +79558,7 @@ index 0000000..b3b1b75
+
+.SH "MANAGED FILES"
+
-+The SELinux user type secadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type secadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -73717,6 +79667,10 @@ index 0000000..b3b1b75
+
+ /home/[^/]*/\.gnupg/log-socket
+.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
+
+.br
+.B mail_spool_t
@@ -73755,6 +79709,14 @@ index 0000000..b3b1b75
+.br
+ /home/[^/]*/\.screenrc
+.br
++ /home/dwalsh/\.screen(/.*)?
++.br
++ /home/dwalsh/\.screenrc
++.br
++ /var/lib/xguest/home/xguest/\.screen(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.screenrc
++.br
+
+.br
+.B selinux_config_t
@@ -73813,6 +79775,18 @@ index 0000000..b3b1b75
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_home_type
@@ -73863,33 +79837,46 @@ index 0000000..b3b1b75
+selinux(8), secadm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/sectoolm_selinux.8 b/man/man8/sectoolm_selinux.8
new file mode 100644
-index 0000000..9f14b6d
+index 0000000..97d8dbd
--- /dev/null
+++ b/man/man8/sectoolm_selinux.8
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,124 @@
+.TH "sectoolm_selinux" "8" "sectoolm" "dwalsh at redhat.com" "sectoolm SELinux Policy documentation"
+.SH "NAME"
+sectoolm_selinux \- Security Enhanced Linux Policy for the sectoolm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sectoolm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sectoolm processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sectoolm processes execute with the sectoolm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sectoolm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep sectoolm_t
++
++
++.SH "ENTRYPOINTS"
+
++The sectoolm_t SELinux type can be entered via the "sectoolm_exec_t" file type. The default entrypoint paths for the sectoolm_t domain are the following:"
++
++/usr/libexec/sectool-mechanism\.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the sectoolm_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sectoolm policy is very flexible allowing users to setup their sectoolm processes in as secure a method as possible.
++.PP
++The following process types are defined for sectoolm:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B sectoolm_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -73917,27 +79904,9 @@ index 0000000..9f14b6d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sectoolm policy is very flexible allowing users to setup their sectoolm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sectoolm:
-+
-+.EX
-+.B sectoolm_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sectoolm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sectoolm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sectool_tmp_t
@@ -73961,6 +79930,22 @@ index 0000000..9f14b6d
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sectoolm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sectoolm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -73982,19 +79967,46 @@ index 0000000..9f14b6d
+selinux(8), sectoolm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/selinux_munin_plugin_selinux.8 b/man/man8/selinux_munin_plugin_selinux.8
new file mode 100644
-index 0000000..650ba12
+index 0000000..57d0a57
--- /dev/null
+++ b/man/man8/selinux_munin_plugin_selinux.8
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,106 @@
+.TH "selinux_munin_plugin_selinux" "8" "selinux_munin_plugin" "dwalsh at redhat.com" "selinux_munin_plugin SELinux Policy documentation"
+.SH "NAME"
+selinux_munin_plugin_selinux \- Security Enhanced Linux Policy for the selinux_munin_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the selinux_munin_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the selinux_munin_plugin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The selinux_munin_plugin processes execute with the selinux_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep selinux_munin_plugin_t
++
++
++.SH "ENTRYPOINTS"
++
++The selinux_munin_plugin_t SELinux type can be entered via the "selinux_munin_plugin_exec_t" file type. The default entrypoint paths for the selinux_munin_plugin_t domain are the following:"
++
++/usr/share/munin/plugins/selinux_avcstat
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux selinux_munin_plugin policy is very flexible allowing users to setup their selinux_munin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for selinux_munin_plugin:
++
++.EX
++.B selinux_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -74030,27 +80042,9 @@ index 0000000..650ba12
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux selinux_munin_plugin policy is very flexible allowing users to setup their selinux_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for selinux_munin_plugin:
-+
-+.EX
-+.B selinux_munin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type selinux_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type selinux_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B munin_plugin_state_t
@@ -74062,6 +80056,8 @@ index 0000000..650ba12
+.B selinux_munin_plugin_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -74083,33 +80079,46 @@ index 0000000..650ba12
+selinux(8), selinux_munin_plugin(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/semanage_selinux.8 b/man/man8/semanage_selinux.8
new file mode 100644
-index 0000000..be9a4db
+index 0000000..311dc3c
--- /dev/null
+++ b/man/man8/semanage_selinux.8
-@@ -0,0 +1,209 @@
+@@ -0,0 +1,220 @@
+.TH "semanage_selinux" "8" "semanage" "dwalsh at redhat.com" "semanage SELinux Policy documentation"
+.SH "NAME"
+semanage_selinux \- Security Enhanced Linux Policy for the semanage processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the semanage processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the semanage processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The semanage processes execute with the semanage_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the semanage_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep semanage_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The semanage_t SELinux type can be entered via the "semanage_exec_t" file type. The default entrypoint paths for the semanage_t domain are the following:"
++
++/usr/share/system-config-selinux/system-config-selinux-dbus\.py, /usr/sbin/semanage, /usr/sbin/semodule
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the semanage_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux semanage policy is very flexible allowing users to setup their semanage processes in as secure a method as possible.
++.PP
++The following process types are defined for semanage:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B semanage_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -74185,27 +80194,9 @@ index 0000000..be9a4db
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux semanage policy is very flexible allowing users to setup their semanage processes in as secure a method as possible.
-+.PP
-+The following process types are defined for semanage:
-+
-+.EX
-+.B semanage_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type semanage_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type semanage_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B boolean_type
@@ -74277,6 +80268,22 @@ index 0000000..be9a4db
+ /var/lib/selinux(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the semanage_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the semanage_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -74298,17 +80305,46 @@ index 0000000..be9a4db
+selinux(8), semanage(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/sendmail_selinux.8 b/man/man8/sendmail_selinux.8
new file mode 100644
-index 0000000..635b959
+index 0000000..4bfd511
--- /dev/null
+++ b/man/man8/sendmail_selinux.8
-@@ -0,0 +1,262 @@
+@@ -0,0 +1,281 @@
+.TH "sendmail_selinux" "8" "sendmail" "dwalsh at redhat.com" "sendmail SELinux Policy documentation"
+.SH "NAME"
+sendmail_selinux \- Security Enhanced Linux Policy for the sendmail processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sendmail processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sendmail processes via flexible mandatory access control.
++
++The sendmail processes execute with the sendmail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sendmail_t
++
++
++.SH "ENTRYPOINTS"
++
++The sendmail_t SELinux type can be entered via the "mta_exec_type,sendmail_exec_t" file types. The default entrypoint paths for the sendmail_t domain are the following:"
++
++/usr/bin/mail(x)?, /usr/sbin/rmail, /usr/sbin/ssmtp, /usr/bin/esmtp, /var/qmail/bin/sendmail, /usr/sbin/sendmail\.postfix, /usr/lib/courier/bin/sendmail, /usr/lib/sendmail, /bin/mail(x)?, /usr/sbin/sendmail(\.sendmail)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sendmail policy is very flexible allowing users to setup their sendmail processes in as secure a method as possible.
++.PP
++The following process types are defined for sendmail:
++
++.EX
++.B sendmail_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. sendmail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sendmail with the tightest access possible.
@@ -74335,22 +80371,6 @@ index 0000000..635b959
+.B setsebool -P gitosis_can_sendmail 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sendmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the sendmail_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -74429,27 +80449,9 @@ index 0000000..635b959
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sendmail policy is very flexible allowing users to setup their sendmail processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sendmail:
-+
-+.EX
-+.B sendmail_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sendmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sendmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -74492,6 +80494,10 @@ index 0000000..635b959
+.br
+ /home/[^/]*/Maildir(/.*)?
+.br
++ /home/dwalsh/Maildir(/.*)?
++.br
++ /var/lib/xguest/home/xguest/Maildir(/.*)?
++.br
+
+.br
+.B mail_spool_t
@@ -74540,6 +80546,26 @@ index 0000000..635b959
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sendmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sendmail_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -74567,19 +80593,46 @@ index 0000000..635b959
\ No newline at end of file
diff --git a/man/man8/sensord_selinux.8 b/man/man8/sensord_selinux.8
new file mode 100644
-index 0000000..89f45f4
+index 0000000..e9d2175
--- /dev/null
+++ b/man/man8/sensord_selinux.8
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,110 @@
+.TH "sensord_selinux" "8" "sensord" "dwalsh at redhat.com" "sensord SELinux Policy documentation"
+.SH "NAME"
+sensord_selinux \- Security Enhanced Linux Policy for the sensord processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sensord processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sensord processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sensord processes execute with the sensord_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sensord_t
++
++
++.SH "ENTRYPOINTS"
++
++The sensord_t SELinux type can be entered via the "sensord_exec_t" file type. The default entrypoint paths for the sensord_t domain are the following:"
++
++/usr/sbin/sensord
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sensord policy is very flexible allowing users to setup their sensord processes in as secure a method as possible.
++.PP
++The following process types are defined for sensord:
++
++.EX
++.B sensord_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -74623,27 +80676,9 @@ index 0000000..89f45f4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sensord policy is very flexible allowing users to setup their sensord processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sensord:
-+
-+.EX
-+.B sensord_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sensord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sensord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sensord_var_run_t
@@ -74651,6 +80686,8 @@ index 0000000..89f45f4
+ /var/run/sensord\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -74672,19 +80709,46 @@ index 0000000..89f45f4
+selinux(8), sensord(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/services_munin_plugin_selinux.8 b/man/man8/services_munin_plugin_selinux.8
new file mode 100644
-index 0000000..85b97dd
+index 0000000..c0e4a6f
--- /dev/null
+++ b/man/man8/services_munin_plugin_selinux.8
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,110 @@
+.TH "services_munin_plugin_selinux" "8" "services_munin_plugin" "dwalsh at redhat.com" "services_munin_plugin SELinux Policy documentation"
+.SH "NAME"
+services_munin_plugin_selinux \- Security Enhanced Linux Policy for the services_munin_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the services_munin_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the services_munin_plugin processes via flexible mandatory access control.
++
++The services_munin_plugin processes execute with the services_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep services_munin_plugin_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The services_munin_plugin_t SELinux type can be entered via the "services_munin_plugin_exec_t" file type. The default entrypoint paths for the services_munin_plugin_t domain are the following:"
++
++/usr/share/munin/plugins/nut.*, /usr/share/munin/plugins/snmp_.*, /usr/share/munin/plugins/named, /usr/share/munin/plugins/varnish_.*, /usr/share/munin/plugins/tomcat_.*, /usr/share/munin/plugins/postgres_.*, /usr/share/munin/plugins/asterisk_.*, /usr/share/munin/plugins/lpstat, /usr/share/munin/plugins/mysql_.*, /usr/share/munin/plugins/slapd_.*, /usr/share/munin/plugins/apache_.*, /usr/share/munin/plugins/ping_, /usr/share/munin/plugins/squid_.*, /usr/share/munin/plugins/fail2ban, /usr/share/munin/plugins/openvpn, /usr/share/munin/plugins/samba, /usr/share/munin/plugins/ntp_.*, /usr/share/munin/plugins/http_loadtime
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux services_munin_plugin policy is very flexible allowing users to setup their services_munin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for services_munin_plugin:
++
++.EX
++.B services_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -74724,27 +80788,9 @@ index 0000000..85b97dd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux services_munin_plugin policy is very flexible allowing users to setup their services_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for services_munin_plugin:
-+
-+.EX
-+.B services_munin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type services_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type services_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B munin_plugin_state_t
@@ -74756,6 +80802,8 @@ index 0000000..85b97dd
+.B services_munin_plugin_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -74777,19 +80825,46 @@ index 0000000..85b97dd
+selinux(8), services_munin_plugin(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/setfiles_selinux.8 b/man/man8/setfiles_selinux.8
new file mode 100644
-index 0000000..ee5a350
+index 0000000..a36c592
--- /dev/null
+++ b/man/man8/setfiles_selinux.8
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,104 @@
+.TH "setfiles_selinux" "8" "setfiles" "dwalsh at redhat.com" "setfiles SELinux Policy documentation"
+.SH "NAME"
+setfiles_selinux \- Security Enhanced Linux Policy for the setfiles processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the setfiles processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the setfiles processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The setfiles processes execute with the setfiles_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep setfiles_t
++
++
++.SH "ENTRYPOINTS"
++
++The setfiles_t SELinux type can be entered via the "setfiles_exec_t" file type. The default entrypoint paths for the setfiles_t domain are the following:"
++
++/sbin/setfiles.*, /sbin/restorecon, /usr/sbin/setfiles.*, /usr/sbin/restorecon
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setfiles policy is very flexible allowing users to setup their setfiles processes in as secure a method as possible.
++.PP
++The following process types are defined for setfiles:
++
++.EX
++.B setfiles_mac_t, setfiles_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -74821,27 +80896,9 @@ index 0000000..ee5a350
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setfiles policy is very flexible allowing users to setup their setfiles processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setfiles:
-+
-+.EX
-+.B setfiles_mac_t, setfiles_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type setfiles_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type setfiles_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B security_t
@@ -74855,6 +80912,8 @@ index 0000000..ee5a350
+ all user home files
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -74876,19 +80935,46 @@ index 0000000..ee5a350
+selinux(8), setfiles(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/setkey_selinux.8 b/man/man8/setkey_selinux.8
new file mode 100644
-index 0000000..0335054
+index 0000000..34fdfd9
--- /dev/null
+++ b/man/man8/setkey_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,92 @@
+.TH "setkey_selinux" "8" "setkey" "dwalsh at redhat.com" "setkey SELinux Policy documentation"
+.SH "NAME"
+setkey_selinux \- Security Enhanced Linux Policy for the setkey processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the setkey processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the setkey processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The setkey processes execute with the setkey_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep setkey_t
++
++
++.SH "ENTRYPOINTS"
++
++The setkey_t SELinux type can be entered via the "setkey_exec_t" file type. The default entrypoint paths for the setkey_t domain are the following:"
++
++/usr/sbin/setkey, /sbin/setkey
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setkey policy is very flexible allowing users to setup their setkey processes in as secure a method as possible.
++.PP
++The following process types are defined for setkey:
++
++.EX
++.B setkey_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -74920,27 +81006,11 @@ index 0000000..0335054
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setkey policy is very flexible allowing users to setup their setkey processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setkey:
-+
-+.EX
-+.B setkey_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type setkey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type setkey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -74963,19 +81033,46 @@ index 0000000..0335054
+selinux(8), setkey(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/setrans_selinux.8 b/man/man8/setrans_selinux.8
new file mode 100644
-index 0000000..b26f4bd
+index 0000000..cdd861f
--- /dev/null
+++ b/man/man8/setrans_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,126 @@
+.TH "setrans_selinux" "8" "setrans" "dwalsh at redhat.com" "setrans SELinux Policy documentation"
+.SH "NAME"
+setrans_selinux \- Security Enhanced Linux Policy for the setrans processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the setrans processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the setrans processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The setrans processes execute with the setrans_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep setrans_t
++
++
++.SH "ENTRYPOINTS"
++
++The setrans_t SELinux type can be entered via the "setrans_exec_t" file type. The default entrypoint paths for the setrans_t domain are the following:"
++
++/sbin/mcstransd, /usr/sbin/mcstransd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setrans policy is very flexible allowing users to setup their setrans processes in as secure a method as possible.
++.PP
++The following process types are defined for setrans:
++
++.EX
++.B setrans_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -75027,27 +81124,9 @@ index 0000000..b26f4bd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setrans policy is very flexible allowing users to setup their setrans processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setrans:
-+
-+.EX
-+.B setrans_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type setrans_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type setrans_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B security_t
@@ -75063,6 +81142,8 @@ index 0000000..b26f4bd
+ /var/run/mcstransd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -75084,33 +81165,46 @@ index 0000000..b26f4bd
+selinux(8), setrans(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/setroubleshoot_fixit_selinux.8 b/man/man8/setroubleshoot_fixit_selinux.8
new file mode 100644
-index 0000000..5058700
+index 0000000..7199e98
--- /dev/null
+++ b/man/man8/setroubleshoot_fixit_selinux.8
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,103 @@
+.TH "setroubleshoot_fixit_selinux" "8" "setroubleshoot_fixit" "dwalsh at redhat.com" "setroubleshoot_fixit SELinux Policy documentation"
+.SH "NAME"
+setroubleshoot_fixit_selinux \- Security Enhanced Linux Policy for the setroubleshoot_fixit processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the setroubleshoot_fixit processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the setroubleshoot_fixit processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The setroubleshoot_fixit processes execute with the setroubleshoot_fixit_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep setroubleshoot_fixit_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The setroubleshoot_fixit_t SELinux type can be entered via the "setroubleshoot_fixit_exec_t" file type. The default entrypoint paths for the setroubleshoot_fixit_t domain are the following:"
++
++/usr/share/setroubleshoot/SetroubleshootFixit\.py*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setroubleshoot_fixit policy is very flexible allowing users to setup their setroubleshoot_fixit processes in as secure a method as possible.
++.PP
++The following process types are defined for setroubleshoot_fixit:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setroubleshoot_fixit_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -75138,27 +81232,25 @@ index 0000000..5058700
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type setroubleshoot_fixit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setroubleshoot_fixit policy is very flexible allowing users to setup their setroubleshoot_fixit processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setroubleshoot_fixit:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B setroubleshoot_fixit_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type setroubleshoot_fixit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -75179,35 +81271,50 @@ index 0000000..5058700
+
+.SH "SEE ALSO"
+selinux(8), setroubleshoot_fixit(8), semanage(8), restorecon(8), chcon(1)
++, setroubleshootd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/setroubleshootd_selinux.8 b/man/man8/setroubleshootd_selinux.8
new file mode 100644
-index 0000000..1885226
+index 0000000..66836e9
--- /dev/null
+++ b/man/man8/setroubleshootd_selinux.8
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,127 @@
+.TH "setroubleshootd_selinux" "8" "setroubleshootd" "dwalsh at redhat.com" "setroubleshootd SELinux Policy documentation"
+.SH "NAME"
+setroubleshootd_selinux \- Security Enhanced Linux Policy for the setroubleshootd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the setroubleshootd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the setroubleshootd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The setroubleshootd processes execute with the setroubleshootd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep setroubleshootd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The setroubleshootd_t SELinux type can be entered via the "setroubleshootd_exec_t" file type. The default entrypoint paths for the setroubleshootd_t domain are the following:"
++
++/usr/sbin/setroubleshootd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible.
++.PP
++The following process types are defined for setroubleshootd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setroubleshoot_fixit_t, setroubleshootd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -75235,27 +81342,9 @@ index 0000000..1885226
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setroubleshootd:
-+
-+.EX
-+.B setroubleshoot_fixit_t, setroubleshootd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type setroubleshootd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type setroubleshootd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B security_t
@@ -75281,6 +81370,22 @@ index 0000000..1885226
+ /var/run/setroubleshoot(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -75304,33 +81409,46 @@ index 0000000..1885226
\ No newline at end of file
diff --git a/man/man8/setsebool_selinux.8 b/man/man8/setsebool_selinux.8
new file mode 100644
-index 0000000..098ee19
+index 0000000..a120ac3
--- /dev/null
+++ b/man/man8/setsebool_selinux.8
-@@ -0,0 +1,149 @@
+@@ -0,0 +1,160 @@
+.TH "setsebool_selinux" "8" "setsebool" "dwalsh at redhat.com" "setsebool SELinux Policy documentation"
+.SH "NAME"
+setsebool_selinux \- Security Enhanced Linux Policy for the setsebool processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the setsebool processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the setsebool processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The setsebool processes execute with the setsebool_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setsebool_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep setsebool_t
+
++
++.SH "ENTRYPOINTS"
++
++The setsebool_t SELinux type can be entered via the "setsebool_exec_t" file type. The default entrypoint paths for the setsebool_t domain are the following:"
++
++/usr/sbin/setsebool
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the setsebool_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible.
++.PP
++The following process types are defined for setsebool:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -75358,27 +81476,9 @@ index 0000000..098ee19
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible.
-+.PP
-+The following process types are defined for setsebool:
-+
-+.EX
-+.B setsebool_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type setsebool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type setsebool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B boolean_type
@@ -75438,6 +81538,22 @@ index 0000000..098ee19
+ /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setsebool_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the setsebool_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -75459,33 +81575,46 @@ index 0000000..098ee19
+selinux(8), setsebool(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/sge_execd_selinux.8 b/man/man8/sge_execd_selinux.8
new file mode 100644
-index 0000000..533a01d
+index 0000000..9031a18
--- /dev/null
+++ b/man/man8/sge_execd_selinux.8
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,113 @@
+.TH "sge_execd_selinux" "8" "sge_execd" "dwalsh at redhat.com" "sge_execd SELinux Policy documentation"
+.SH "NAME"
+sge_execd_selinux \- Security Enhanced Linux Policy for the sge_execd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sge_execd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sge_execd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sge_execd processes execute with the sge_execd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sge_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep sge_execd_t
++
++
++.SH "ENTRYPOINTS"
+
++The sge_execd_t SELinux type can be entered via the "sge_execd_exec_t" file type. The default entrypoint paths for the sge_execd_t domain are the following:"
++
++/usr/bin/sge_execd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the sge_execd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sge_execd policy is very flexible allowing users to setup their sge_execd processes in as secure a method as possible.
++.PP
++The following process types are defined for sge_execd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B sge_execd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -75513,27 +81642,9 @@ index 0000000..533a01d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sge_execd policy is very flexible allowing users to setup their sge_execd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sge_execd:
-+
-+.EX
-+.B sge_execd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sge_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sge_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sge_spool_t
@@ -75545,6 +81656,22 @@ index 0000000..533a01d
+.B sge_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sge_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sge_execd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -75564,35 +81691,50 @@ index 0000000..533a01d
+
+.SH "SEE ALSO"
+selinux(8), sge_execd(8), semanage(8), restorecon(8), chcon(1)
++, sge_job_selinux(8), sge_shepherd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/sge_job_selinux.8 b/man/man8/sge_job_selinux.8
new file mode 100644
-index 0000000..2f731de
+index 0000000..950438c
--- /dev/null
+++ b/man/man8/sge_job_selinux.8
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,143 @@
+.TH "sge_job_selinux" "8" "sge_job" "dwalsh at redhat.com" "sge_job SELinux Policy documentation"
+.SH "NAME"
+sge_job_selinux \- Security Enhanced Linux Policy for the sge_job processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sge_job processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sge_job processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sge_job processes execute with the sge_job_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sge_job_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep sge_job_t
++
++
++.SH "ENTRYPOINTS"
++
++The sge_job_t SELinux type can be entered via the "sge_job_exec_t,shell_exec_t" file types. The default entrypoint paths for the sge_job_t domain are the following:"
+
++/usr/bin/fish, /usr/bin/ksh.*, /usr/bin/bash, /bin/ksh.*, /bin/zsh.*, /usr/libexec/sesh, /bin/bash, /usr/bin/git-shell, /usr/bin/yash, /usr/sbin/sesh, /bin/mksh, /bin/fish, /usr/bin/sash, /bin/tcsh, /usr/libexec/git-core/git-shell, /usr/bin/zsh.*, /usr/bin/scponly, /usr/bin/mksh, /bin/esh, /sbin/nologin, /usr/sbin/scponlyc, /usr/bin/d?ash, /bin/yash, /bin/sash, /bin/d?ash, /usr/bin/esh, /bin/bash2, /usr/sbin/nologin, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/tcsh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the sge_job_ssh_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sge_job policy is very flexible allowing users to setup their sge_job processes in as secure a method as possible.
++.PP
++The following process types are defined for sge_job:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B sge_job_ssh_t, sge_job_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -75620,27 +81762,9 @@ index 0000000..2f731de
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sge_job policy is very flexible allowing users to setup their sge_job processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sge_job:
-+
-+.EX
-+.B sge_job_ssh_t, sge_job_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sge_job_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sge_job_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sge_spool_t
@@ -75673,6 +81797,30 @@ index 0000000..2f731de
+.br
+ /home/[^/]*/\.shosts
+.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sge_job_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sge_job_ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -75693,21 +81841,50 @@ index 0000000..2f731de
+
+.SH "SEE ALSO"
+selinux(8), sge_job(8), semanage(8), restorecon(8), chcon(1)
++, sge_execd_selinux(8), sge_shepherd_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/sge_shepherd_selinux.8 b/man/man8/sge_shepherd_selinux.8
new file mode 100644
-index 0000000..e8abc98
+index 0000000..cea08c2
--- /dev/null
+++ b/man/man8/sge_shepherd_selinux.8
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,99 @@
+.TH "sge_shepherd_selinux" "8" "sge_shepherd" "dwalsh at redhat.com" "sge_shepherd SELinux Policy documentation"
+.SH "NAME"
+sge_shepherd_selinux \- Security Enhanced Linux Policy for the sge_shepherd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sge_shepherd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sge_shepherd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sge_shepherd processes execute with the sge_shepherd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sge_shepherd_t
++
++
++.SH "ENTRYPOINTS"
++
++The sge_shepherd_t SELinux type can be entered via the "sge_shepherd_exec_t" file type. The default entrypoint paths for the sge_shepherd_t domain are the following:"
++
++/usr/bin/sge_shepherd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sge_shepherd policy is very flexible allowing users to setup their sge_shepherd processes in as secure a method as possible.
++.PP
++The following process types are defined for sge_shepherd:
++
++.EX
++.B sge_shepherd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -75735,27 +81912,9 @@ index 0000000..e8abc98
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sge_shepherd policy is very flexible allowing users to setup their sge_shepherd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sge_shepherd:
-+
-+.EX
-+.B sge_shepherd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sge_shepherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sge_shepherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sge_spool_t
@@ -75767,6 +81926,8 @@ index 0000000..e8abc98
+.B sge_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -75786,35 +81947,50 @@ index 0000000..e8abc98
+
+.SH "SEE ALSO"
+selinux(8), sge_shepherd(8), semanage(8), restorecon(8), chcon(1)
++, sge_execd_selinux(8), sge_job_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/shorewall_selinux.8 b/man/man8/shorewall_selinux.8
new file mode 100644
-index 0000000..311756f
+index 0000000..f71ea96
--- /dev/null
+++ b/man/man8/shorewall_selinux.8
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,204 @@
+.TH "shorewall_selinux" "8" "shorewall" "dwalsh at redhat.com" "shorewall SELinux Policy documentation"
+.SH "NAME"
+shorewall_selinux \- Security Enhanced Linux Policy for the shorewall processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the shorewall processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the shorewall processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The shorewall processes execute with the shorewall_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shorewall_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep shorewall_t
++
++
++.SH "ENTRYPOINTS"
+
++The shorewall_t SELinux type can be entered via the "shorewall_var_lib_t,shorewall_exec_t" file types. The default entrypoint paths for the shorewall_t domain are the following:"
++
++/var/lib/shorewall-lite(/.*)?, /var/lib/shorewall(/.*)?, /var/lib/shorewall6(/.*)?, /sbin/shorewall6?, /sbin/shorewall-lite, /usr/sbin/shorewall-lite, /usr/sbin/shorewall6?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the shorewall_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux shorewall policy is very flexible allowing users to setup their shorewall processes in as secure a method as possible.
++.PP
++The following process types are defined for shorewall:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B shorewall_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -75906,27 +82082,9 @@ index 0000000..311756f
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux shorewall policy is very flexible allowing users to setup their shorewall processes in as secure a method as possible.
-+.PP
-+The following process types are defined for shorewall:
-+
-+.EX
-+.B shorewall_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type shorewall_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type shorewall_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B initrc_var_run_t
@@ -75966,6 +82124,22 @@ index 0000000..311756f
+ /var/lib/shorewall-lite(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shorewall_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the shorewall_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -75987,19 +82161,46 @@ index 0000000..311756f
+selinux(8), shorewall(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/showmount_selinux.8 b/man/man8/showmount_selinux.8
new file mode 100644
-index 0000000..0e81d8f
+index 0000000..759ceb4
--- /dev/null
+++ b/man/man8/showmount_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,88 @@
+.TH "showmount_selinux" "8" "showmount" "dwalsh at redhat.com" "showmount SELinux Policy documentation"
+.SH "NAME"
+showmount_selinux \- Security Enhanced Linux Policy for the showmount processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the showmount processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the showmount processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The showmount processes execute with the showmount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep showmount_t
++
++
++.SH "ENTRYPOINTS"
++
++The showmount_t SELinux type can be entered via the "showmount_exec_t" file type. The default entrypoint paths for the showmount_t domain are the following:"
++
++/usr/sbin/showmount
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux showmount policy is very flexible allowing users to setup their showmount processes in as secure a method as possible.
++.PP
++The following process types are defined for showmount:
++
++.EX
++.B showmount_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -76027,27 +82228,11 @@ index 0000000..0e81d8f
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux showmount policy is very flexible allowing users to setup their showmount processes in as secure a method as possible.
-+.PP
-+The following process types are defined for showmount:
-+
-+.EX
-+.B showmount_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type showmount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type showmount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -76070,43 +82255,56 @@ index 0000000..0e81d8f
+selinux(8), showmount(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/shutdown_selinux.8 b/man/man8/shutdown_selinux.8
new file mode 100644
-index 0000000..66ed980
+index 0000000..85aca65
--- /dev/null
+++ b/man/man8/shutdown_selinux.8
-@@ -0,0 +1,164 @@
+@@ -0,0 +1,175 @@
+.TH "shutdown_selinux" "8" "shutdown" "dwalsh at redhat.com" "shutdown SELinux Policy documentation"
+.SH "NAME"
+shutdown_selinux \- Security Enhanced Linux Policy for the shutdown processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the shutdown processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the shutdown processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. shutdown policy is extremely flexible and has several booleans that allow you to manipulate the policy and run shutdown with the tightest access possible.
++The shutdown processes execute with the shutdown_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean.
++.B ps -eZ | grep shutdown_t
+
-+.EX
-+.B setsebool -P httpd_graceful_shutdown 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The shutdown_t SELinux type can be entered via the "shutdown_exec_t" file type. The default entrypoint paths for the shutdown_t domain are the following:"
+
++/sbin/shutdown, /usr/sbin/shutdown, /usr/lib/upstart/shutdown, /lib/upstart/shutdown
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shutdown_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux shutdown policy is very flexible allowing users to setup their shutdown processes in as secure a method as possible.
++.PP
++The following process types are defined for shutdown:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B shutdown_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. shutdown policy is extremely flexible and has several booleans that allow you to manipulate the policy and run shutdown with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the shutdown_t, you must turn on the kerberos_enabled boolean.
++If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P httpd_graceful_shutdown 1
+.EE
+
+.SH FILE CONTEXTS
@@ -76155,27 +82353,9 @@ index 0000000..66ed980
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux shutdown policy is very flexible allowing users to setup their shutdown processes in as secure a method as possible.
-+.PP
-+The following process types are defined for shutdown:
-+
-+.EX
-+.B shutdown_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type shutdown_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type shutdown_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B initrc_var_run_t
@@ -76215,6 +82395,22 @@ index 0000000..66ed980
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shutdown_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the shutdown_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -76241,33 +82437,46 @@ index 0000000..66ed980
\ No newline at end of file
diff --git a/man/man8/slapd_selinux.8 b/man/man8/slapd_selinux.8
new file mode 100644
-index 0000000..a306cd7
+index 0000000..5451371
--- /dev/null
+++ b/man/man8/slapd_selinux.8
-@@ -0,0 +1,267 @@
+@@ -0,0 +1,278 @@
+.TH "slapd_selinux" "8" "slapd" "dwalsh at redhat.com" "slapd SELinux Policy documentation"
+.SH "NAME"
+slapd_selinux \- Security Enhanced Linux Policy for the slapd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the slapd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the slapd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The slapd processes execute with the slapd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the slapd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep slapd_t
+
++
++.SH "ENTRYPOINTS"
++
++The slapd_t SELinux type can be entered via the "slapd_exec_t" file type. The default entrypoint paths for the slapd_t domain are the following:"
++
++/usr/sbin/slapd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the slapd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux slapd policy is very flexible allowing users to setup their slapd processes in as secure a method as possible.
++.PP
++The following process types are defined for slapd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B slapd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -76399,27 +82608,9 @@ index 0000000..a306cd7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux slapd policy is very flexible allowing users to setup their slapd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for slapd:
-+
-+.EX
-+.B slapd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type slapd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type slapd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auth_cache_t
@@ -76493,6 +82684,22 @@ index 0000000..a306cd7
+ /var/run/slapd\.args
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the slapd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the slapd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -76514,33 +82721,46 @@ index 0000000..a306cd7
+selinux(8), slapd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/slpd_selinux.8 b/man/man8/slpd_selinux.8
new file mode 100644
-index 0000000..7d79f13
+index 0000000..f822440
--- /dev/null
+++ b/man/man8/slpd_selinux.8
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,138 @@
+.TH "slpd_selinux" "8" "slpd" "dwalsh at redhat.com" "slpd SELinux Policy documentation"
+.SH "NAME"
+slpd_selinux \- Security Enhanced Linux Policy for the slpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the slpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the slpd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The slpd processes execute with the slpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the slpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep slpd_t
+
++
++.SH "ENTRYPOINTS"
++
++The slpd_t SELinux type can be entered via the "slpd_exec_t" file type. The default entrypoint paths for the slpd_t domain are the following:"
++
++/usr/sbin/slpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the slpd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux slpd policy is very flexible allowing users to setup their slpd processes in as secure a method as possible.
++.PP
++The following process types are defined for slpd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B slpd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -76592,27 +82812,9 @@ index 0000000..7d79f13
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux slpd policy is very flexible allowing users to setup their slpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for slpd:
-+
-+.EX
-+.B slpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type slpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type slpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B slpd_var_log_t
@@ -76626,6 +82828,22 @@ index 0000000..7d79f13
+ /var/run/slpd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the slpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the slpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -76647,19 +82865,46 @@ index 0000000..7d79f13
+selinux(8), slpd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/smbcontrol_selinux.8 b/man/man8/smbcontrol_selinux.8
new file mode 100644
-index 0000000..7a4c12c
+index 0000000..2349e1d
--- /dev/null
+++ b/man/man8/smbcontrol_selinux.8
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,98 @@
+.TH "smbcontrol_selinux" "8" "smbcontrol" "dwalsh at redhat.com" "smbcontrol SELinux Policy documentation"
+.SH "NAME"
+smbcontrol_selinux \- Security Enhanced Linux Policy for the smbcontrol processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the smbcontrol processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the smbcontrol processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The smbcontrol processes execute with the smbcontrol_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep smbcontrol_t
++
++
++.SH "ENTRYPOINTS"
++
++The smbcontrol_t SELinux type can be entered via the "smbcontrol_exec_t" file type. The default entrypoint paths for the smbcontrol_t domain are the following:"
++
++/usr/bin/smbcontrol
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smbcontrol policy is very flexible allowing users to setup their smbcontrol processes in as secure a method as possible.
++.PP
++The following process types are defined for smbcontrol:
++
++.EX
++.B smbcontrol_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -76687,27 +82932,9 @@ index 0000000..7a4c12c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux smbcontrol policy is very flexible allowing users to setup their smbcontrol processes in as secure a method as possible.
-+.PP
-+The following process types are defined for smbcontrol:
-+
-+.EX
-+.B smbcontrol_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type smbcontrol_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type smbcontrol_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B samba_var_t
@@ -76719,6 +82946,8 @@ index 0000000..7a4c12c
+ /var/spool/samba(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -76740,33 +82969,46 @@ index 0000000..7a4c12c
+selinux(8), smbcontrol(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/smbd_selinux.8 b/man/man8/smbd_selinux.8
new file mode 100644
-index 0000000..a46dfb3
+index 0000000..5ed9df9
--- /dev/null
+++ b/man/man8/smbd_selinux.8
-@@ -0,0 +1,312 @@
+@@ -0,0 +1,323 @@
+.TH "smbd_selinux" "8" "smbd" "dwalsh at redhat.com" "smbd SELinux Policy documentation"
+.SH "NAME"
+smbd_selinux \- Security Enhanced Linux Policy for the smbd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the smbd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the smbd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The smbd processes execute with the smbd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, smbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep smbd_t
+
++
++.SH "ENTRYPOINTS"
++
++The smbd_t SELinux type can be entered via the "smbd_exec_t" file type. The default entrypoint paths for the smbd_t domain are the following:"
++
++/usr/sbin/smbd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the smbmount_t, smbd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible.
++.PP
++The following process types are defined for smbd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B smbcontrol_t, smbmount_t, smbd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
@@ -76871,27 +83113,9 @@ index 0000000..a46dfb3
+Default Defined Ports:
+tcp 137-139,445
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for smbd:
-+
-+.EX
-+.B smbcontrol_t, smbmount_t, smbd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type smbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type smbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auth_cache_t
@@ -77033,6 +83257,22 @@ index 0000000..a46dfb3
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, smbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the smbmount_t, smbd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -77059,33 +83299,46 @@ index 0000000..a46dfb3
\ No newline at end of file
diff --git a/man/man8/smbmount_selinux.8 b/man/man8/smbmount_selinux.8
new file mode 100644
-index 0000000..7b6ceed
+index 0000000..09bb0ab
--- /dev/null
+++ b/man/man8/smbmount_selinux.8
-@@ -0,0 +1,177 @@
+@@ -0,0 +1,188 @@
+.TH "smbmount_selinux" "8" "smbmount" "dwalsh at redhat.com" "smbmount SELinux Policy documentation"
+.SH "NAME"
+smbmount_selinux \- Security Enhanced Linux Policy for the smbmount processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the smbmount processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the smbmount processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The smbmount processes execute with the smbmount_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep smbmount_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The smbmount_t SELinux type can be entered via the "smbmount_exec_t" file type. The default entrypoint paths for the smbmount_t domain are the following:"
++
++/usr/bin/smbmnt, /usr/bin/smbmount
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the smbmount_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smbmount policy is very flexible allowing users to setup their smbmount processes in as secure a method as possible.
++.PP
++The following process types are defined for smbmount:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B smbmount_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -77117,27 +83370,9 @@ index 0000000..7b6ceed
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux smbmount policy is very flexible allowing users to setup their smbmount processes in as secure a method as possible.
-+.PP
-+The following process types are defined for smbmount:
-+
-+.EX
-+.B smbmount_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type smbmount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type smbmount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_runtime_t
@@ -77221,6 +83456,22 @@ index 0000000..7b6ceed
+ /var/spool/samba(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the smbmount_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -77242,33 +83493,46 @@ index 0000000..7b6ceed
+selinux(8), smbmount(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/smokeping_selinux.8 b/man/man8/smokeping_selinux.8
new file mode 100644
-index 0000000..66973bf
+index 0000000..06d2bff
--- /dev/null
+++ b/man/man8/smokeping_selinux.8
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,138 @@
+.TH "smokeping_selinux" "8" "smokeping" "dwalsh at redhat.com" "smokeping SELinux Policy documentation"
+.SH "NAME"
+smokeping_selinux \- Security Enhanced Linux Policy for the smokeping processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the smokeping processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the smokeping processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The smokeping processes execute with the smokeping_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smokeping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep smokeping_t
++
++
++.SH "ENTRYPOINTS"
++
++The smokeping_t SELinux type can be entered via the "smokeping_exec_t" file type. The default entrypoint paths for the smokeping_t domain are the following:"
+
++/usr/sbin/smokeping
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the smokeping_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smokeping policy is very flexible allowing users to setup their smokeping processes in as secure a method as possible.
++.PP
++The following process types are defined for smokeping:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B smokeping_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -77320,27 +83584,9 @@ index 0000000..66973bf
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux smokeping policy is very flexible allowing users to setup their smokeping processes in as secure a method as possible.
-+.PP
-+The following process types are defined for smokeping:
-+
-+.EX
-+.B smokeping_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type smokeping_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type smokeping_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B smokeping_var_lib_t
@@ -77354,6 +83600,22 @@ index 0000000..66973bf
+ /var/run/smokeping(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smokeping_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the smokeping_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -77375,33 +83637,46 @@ index 0000000..66973bf
+selinux(8), smokeping(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/smoltclient_selinux.8 b/man/man8/smoltclient_selinux.8
new file mode 100644
-index 0000000..4059e62
+index 0000000..df5f3e1
--- /dev/null
+++ b/man/man8/smoltclient_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,114 @@
+.TH "smoltclient_selinux" "8" "smoltclient" "dwalsh at redhat.com" "smoltclient SELinux Policy documentation"
+.SH "NAME"
+smoltclient_selinux \- Security Enhanced Linux Policy for the smoltclient processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the smoltclient processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the smoltclient processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The smoltclient processes execute with the smoltclient_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smoltclient_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep smoltclient_t
+
++
++.SH "ENTRYPOINTS"
++
++The smoltclient_t SELinux type can be entered via the "smoltclient_exec_t" file type. The default entrypoint paths for the smoltclient_t domain are the following:"
++
++/usr/share/smolt/client/sendProfile.py
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the smoltclient_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux smoltclient policy is very flexible allowing users to setup their smoltclient processes in as secure a method as possible.
++.PP
++The following process types are defined for smoltclient:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B smoltclient_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -77437,32 +83712,30 @@ index 0000000..4059e62
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux smoltclient policy is very flexible allowing users to setup their smoltclient processes in as secure a method as possible.
-+.PP
-+The following process types are defined for smoltclient:
-+
-+.EX
-+.B smoltclient_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type smoltclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type smoltclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B smoltclient_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smoltclient_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the smoltclient_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -77484,33 +83757,46 @@ index 0000000..4059e62
+selinux(8), smoltclient(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/snmpd_selinux.8 b/man/man8/snmpd_selinux.8
new file mode 100644
-index 0000000..00ce3f1
+index 0000000..9377ab8
--- /dev/null
+++ b/man/man8/snmpd_selinux.8
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,204 @@
+.TH "snmpd_selinux" "8" "snmpd" "dwalsh at redhat.com" "snmpd SELinux Policy documentation"
+.SH "NAME"
+snmpd_selinux \- Security Enhanced Linux Policy for the snmpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the snmpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the snmpd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The snmpd processes execute with the snmpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the snmpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep snmpd_t
+
++
++.SH "ENTRYPOINTS"
++
++The snmpd_t SELinux type can be entered via the "snmpd_exec_t" file type. The default entrypoint paths for the snmpd_t domain are the following:"
++
++/usr/sbin/snmp(trap)?d
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the snmpd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
++.PP
++The following process types are defined for snmpd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B snmpd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -77607,27 +83893,9 @@ index 0000000..00ce3f1
+.EE
+udp 161-162
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for snmpd:
-+
-+.EX
-+.B snmpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type snmpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type snmpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B snmpd_log_t
@@ -77659,6 +83927,22 @@ index 0000000..00ce3f1
+ /var/run/snmpd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the snmpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the snmpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -77683,19 +83967,46 @@ index 0000000..00ce3f1
+selinux(8), snmpd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/snort_selinux.8 b/man/man8/snort_selinux.8
new file mode 100644
-index 0000000..3b0dcb6
+index 0000000..5de44df
--- /dev/null
+++ b/man/man8/snort_selinux.8
-@@ -0,0 +1,145 @@
+@@ -0,0 +1,156 @@
+.TH "snort_selinux" "8" "snort" "dwalsh at redhat.com" "snort SELinux Policy documentation"
+.SH "NAME"
+snort_selinux \- Security Enhanced Linux Policy for the snort processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the snort processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the snort processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The snort processes execute with the snort_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep snort_t
++
++
++.SH "ENTRYPOINTS"
++
++The snort_t SELinux type can be entered via the "snort_exec_t" file type. The default entrypoint paths for the snort_t domain are the following:"
++
++/usr/sbin/snort-plain, /usr/s?bin/snort
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux snort policy is very flexible allowing users to setup their snort processes in as secure a method as possible.
++.PP
++The following process types are defined for snort:
++
++.EX
++.B snort_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -77767,27 +84078,9 @@ index 0000000..3b0dcb6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux snort policy is very flexible allowing users to setup their snort processes in as secure a method as possible.
-+.PP
-+The following process types are defined for snort:
-+
-+.EX
-+.B snort_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type snort_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type snort_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B prelude_spool_t
@@ -77813,6 +84106,8 @@ index 0000000..3b0dcb6
+ /var/run/snort.*
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -77834,33 +84129,46 @@ index 0000000..3b0dcb6
+selinux(8), snort(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/sosreport_selinux.8 b/man/man8/sosreport_selinux.8
new file mode 100644
-index 0000000..5ef70fd
+index 0000000..d2d6e10
--- /dev/null
+++ b/man/man8/sosreport_selinux.8
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,204 @@
+.TH "sosreport_selinux" "8" "sosreport" "dwalsh at redhat.com" "sosreport SELinux Policy documentation"
+.SH "NAME"
+sosreport_selinux \- Security Enhanced Linux Policy for the sosreport processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sosreport processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sosreport processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sosreport processes execute with the sosreport_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sosreport_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep sosreport_t
++
++
++.SH "ENTRYPOINTS"
+
++The sosreport_t SELinux type can be entered via the "sosreport_exec_t" file type. The default entrypoint paths for the sosreport_t domain are the following:"
++
++/usr/sbin/sosreport
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the sosreport_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sosreport policy is very flexible allowing users to setup their sosreport processes in as secure a method as possible.
++.PP
++The following process types are defined for sosreport:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B sosreport_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -77904,27 +84212,9 @@ index 0000000..5ef70fd
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sosreport policy is very flexible allowing users to setup their sosreport processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sosreport:
-+
-+.EX
-+.B sosreport_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sosreport_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sosreport_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B abrt_var_cache_t
@@ -78012,6 +84302,22 @@ index 0000000..5ef70fd
+.B sosreport_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sosreport_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sosreport_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -78033,19 +84339,46 @@ index 0000000..5ef70fd
+selinux(8), sosreport(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/soundd_selinux.8 b/man/man8/soundd_selinux.8
new file mode 100644
-index 0000000..87ab6a2
+index 0000000..23790e5
--- /dev/null
+++ b/man/man8/soundd_selinux.8
-@@ -0,0 +1,185 @@
+@@ -0,0 +1,196 @@
+.TH "soundd_selinux" "8" "soundd" "dwalsh at redhat.com" "soundd SELinux Policy documentation"
+.SH "NAME"
+soundd_selinux \- Security Enhanced Linux Policy for the soundd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the soundd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the soundd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The soundd processes execute with the soundd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep soundd_t
++
++
++.SH "ENTRYPOINTS"
++
++The soundd_t SELinux type can be entered via the "soundd_exec_t" file type. The default entrypoint paths for the soundd_t domain are the following:"
++
++/usr/bin/gpe-soundserver, /usr/sbin/yiff, /usr/bin/nasd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible.
++.PP
++The following process types are defined for soundd:
++
++.EX
++.B soundd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -78156,27 +84489,9 @@ index 0000000..87ab6a2
+Default Defined Ports:
+tcp 8000,9433,16001
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for soundd:
-+
-+.EX
-+.B soundd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type soundd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type soundd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B soundd_state_t
@@ -78200,6 +84515,8 @@ index 0000000..87ab6a2
+ /var/run/yiff-[0-9]+\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -78224,33 +84541,46 @@ index 0000000..87ab6a2
+selinux(8), soundd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/spamass_milter_selinux.8 b/man/man8/spamass_milter_selinux.8
new file mode 100644
-index 0000000..8b878ba
+index 0000000..1bbcce2
--- /dev/null
+++ b/man/man8/spamass_milter_selinux.8
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,134 @@
+.TH "spamass_milter_selinux" "8" "spamass_milter" "dwalsh at redhat.com" "spamass_milter SELinux Policy documentation"
+.SH "NAME"
+spamass_milter_selinux \- Security Enhanced Linux Policy for the spamass_milter processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the spamass_milter processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the spamass_milter processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The spamass_milter processes execute with the spamass_milter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep spamass_milter_t
++
++
++.SH "ENTRYPOINTS"
++
++The spamass_milter_t SELinux type can be entered via the "spamass_milter_exec_t" file type. The default entrypoint paths for the spamass_milter_t domain are the following:"
+
++/usr/sbin/spamass-milter
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the spamass_milter_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux spamass_milter policy is very flexible allowing users to setup their spamass_milter processes in as secure a method as possible.
++.PP
++The following process types are defined for spamass_milter:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B spamass_milter_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -78298,27 +84628,9 @@ index 0000000..8b878ba
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux spamass_milter policy is very flexible allowing users to setup their spamass_milter processes in as secure a method as possible.
-+.PP
-+The following process types are defined for spamass_milter:
-+
-+.EX
-+.B spamass_milter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type spamass_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type spamass_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B spamass_milter_data_t
@@ -78332,6 +84644,22 @@ index 0000000..8b878ba
+ /var/run/spamass-milter\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the spamass_milter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -78353,33 +84681,46 @@ index 0000000..8b878ba
+selinux(8), spamass_milter(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/spamc_selinux.8 b/man/man8/spamc_selinux.8
new file mode 100644
-index 0000000..55fb70a
+index 0000000..3620826
--- /dev/null
+++ b/man/man8/spamc_selinux.8
-@@ -0,0 +1,145 @@
+@@ -0,0 +1,172 @@
+.TH "spamc_selinux" "8" "spamc" "dwalsh at redhat.com" "spamc SELinux Policy documentation"
+.SH "NAME"
+spamc_selinux \- Security Enhanced Linux Policy for the spamc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the spamc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the spamc processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The spamc processes execute with the spamc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep spamc_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The spamc_t SELinux type can be entered via the "spamc_exec_t" file type. The default entrypoint paths for the spamc_t domain are the following:"
++
++/usr/bin/pyzor, /usr/bin/spamc, /usr/bin/razor.*, /usr/bin/sa-learn, /usr/bin/spamassassin
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the spamc_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux spamc policy is very flexible allowing users to setup their spamc processes in as secure a method as possible.
++.PP
++The following process types are defined for spamc:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B spamc_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -78431,27 +84772,9 @@ index 0000000..55fb70a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux spamc policy is very flexible allowing users to setup their spamc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for spamc:
-+
-+.EX
-+.B spamc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type spamc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type spamc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B spamass_milter_state_t
@@ -78478,11 +84801,43 @@ index 0000000..55fb70a
+.br
+ /home/[^/]*/\.spamassassin(/.*)?
+.br
++ /home/dwalsh/\.pyzor(/.*)?
++.br
++ /home/dwalsh/\.spamd(/.*)?
++.br
++ /home/dwalsh/\.razor(/.*)?
++.br
++ /home/dwalsh/\.spamassassin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.pyzor(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spamd(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.razor(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spamassassin(/.*)?
++.br
+
+.br
+.B spamc_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the spamc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -78504,17 +84859,46 @@ index 0000000..55fb70a
+selinux(8), spamc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/spamd_selinux.8 b/man/man8/spamd_selinux.8
new file mode 100644
-index 0000000..d12fcdc
+index 0000000..c84d4bc
--- /dev/null
+++ b/man/man8/spamd_selinux.8
-@@ -0,0 +1,340 @@
+@@ -0,0 +1,377 @@
+.TH "spamd_selinux" "8" "spamd" "dwalsh at redhat.com" "spamd SELinux Policy documentation"
+.SH "NAME"
+spamd_selinux \- Security Enhanced Linux Policy for the spamd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the spamd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the spamd processes via flexible mandatory access control.
++
++The spamd processes execute with the spamd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep spamd_t
++
++
++.SH "ENTRYPOINTS"
++
++The spamd_t SELinux type can be entered via the "spamd_exec_t" file type. The default entrypoint paths for the spamd_t domain are the following:"
++
++/usr/sbin/spampd, /usr/sbin/spamd, /usr/bin/mimedefang-multiplexor, /usr/bin/pyzord, /usr/bin/spamd, /usr/bin/mimedefang
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible.
++.PP
++The following process types are defined for spamd:
++
++.EX
++.B spamc_t, spamd_t, spamd_update_t, spamass_milter_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. spamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamd with the tightest access possible.
@@ -78541,22 +84925,6 @@ index 0000000..d12fcdc
+.B setsebool -P httpd_can_check_spam 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -78610,7 +84978,7 @@ index 0000000..d12fcdc
+.br
+.TP 5
+Paths:
-+/etc/rc\.d/init\.d/spampd, /etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/mimedefang.*, /etc/rc\.d/init\.d/pyzord
++/etc/rc\.d/init\.d/spampd, /etc/rc\.d/init\.d/pyzord, /etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/mimedefang.*
+
+.EX
+.PP
@@ -78706,27 +85074,9 @@ index 0000000..d12fcdc
+Default Defined Ports:
+tcp 783,10026,10027
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for spamd:
-+
-+.EX
-+.B spamc_t, spamd_t, spamd_update_t, spamass_milter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type spamd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type spamd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B amavis_var_lib_t
@@ -78769,6 +85119,22 @@ index 0000000..d12fcdc
+.br
+ /home/[^/]*/\.spamassassin(/.*)?
+.br
++ /home/dwalsh/\.pyzor(/.*)?
++.br
++ /home/dwalsh/\.spamd(/.*)?
++.br
++ /home/dwalsh/\.razor(/.*)?
++.br
++ /home/dwalsh/\.spamassassin(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.pyzor(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spamd(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.razor(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.spamassassin(/.*)?
++.br
+
+.br
+.B spamd_compiled_t
@@ -78822,6 +85188,32 @@ index 0000000..d12fcdc
+ /var/spool/MD-Quarantine(/.*)?
+.br
+
++.br
++.B user_home_t
++
++ /home/[^/]*/.+
++.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -78851,33 +85243,46 @@ index 0000000..d12fcdc
\ No newline at end of file
diff --git a/man/man8/spamd_update_selinux.8 b/man/man8/spamd_update_selinux.8
new file mode 100644
-index 0000000..bf8c132
+index 0000000..51de035
--- /dev/null
+++ b/man/man8/spamd_update_selinux.8
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,117 @@
+.TH "spamd_update_selinux" "8" "spamd_update" "dwalsh at redhat.com" "spamd_update SELinux Policy documentation"
+.SH "NAME"
+spamd_update_selinux \- Security Enhanced Linux Policy for the spamd_update processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the spamd_update processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the spamd_update processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The spamd_update processes execute with the spamd_update_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamd_update_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep spamd_update_t
++
++
++.SH "ENTRYPOINTS"
+
++The spamd_update_t SELinux type can be entered via the "spamd_update_exec_t" file type. The default entrypoint paths for the spamd_update_t domain are the following:"
++
++/usr/bin/sa-update
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the spamd_update_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux spamd_update policy is very flexible allowing users to setup their spamd_update processes in as secure a method as possible.
++.PP
++The following process types are defined for spamd_update:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B spamd_update_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -78905,27 +85310,9 @@ index 0000000..bf8c132
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux spamd_update policy is very flexible allowing users to setup their spamd_update processes in as secure a method as possible.
-+.PP
-+The following process types are defined for spamd_update:
-+
-+.EX
-+.B spamd_update_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type spamd_update_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type spamd_update_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B spamd_tmp_t
@@ -78941,6 +85328,22 @@ index 0000000..bf8c132
+ /var/lib/spamassassin(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamd_update_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the spamd_update_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -78960,23 +85363,50 @@ index 0000000..bf8c132
+
+.SH "SEE ALSO"
+selinux(8), spamd_update(8), semanage(8), restorecon(8), chcon(1)
-+, spamd_selinux(8)
++, spamd_selinux(8), spamd_selinux(8)
\ No newline at end of file
diff --git a/man/man8/squid_cron_selinux.8 b/man/man8/squid_cron_selinux.8
new file mode 100644
-index 0000000..f465ac5
+index 0000000..9b57c2c
--- /dev/null
+++ b/man/man8/squid_cron_selinux.8
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,101 @@
+.TH "squid_cron_selinux" "8" "squid_cron" "dwalsh at redhat.com" "squid_cron SELinux Policy documentation"
+.SH "NAME"
+squid_cron_selinux \- Security Enhanced Linux Policy for the squid_cron processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the squid_cron processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the squid_cron processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The squid_cron processes execute with the squid_cron_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep squid_cron_t
++
++
++.SH "ENTRYPOINTS"
++
++The squid_cron_t SELinux type can be entered via the "squid_cron_exec_t" file type. The default entrypoint paths for the squid_cron_t domain are the following:"
++
++/usr/sbin/lightparser.pl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux squid_cron policy is very flexible allowing users to setup their squid_cron processes in as secure a method as possible.
++.PP
++The following process types are defined for squid_cron:
++
++.EX
++.B squid_cron_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -79004,27 +85434,9 @@ index 0000000..f465ac5
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux squid_cron policy is very flexible allowing users to setup their squid_cron processes in as secure a method as possible.
-+.PP
-+The following process types are defined for squid_cron:
-+
-+.EX
-+.B squid_cron_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type squid_cron_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type squid_cron_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B squid_cache_t
@@ -79038,6 +85450,8 @@ index 0000000..f465ac5
+ /var/spool/squid(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -79057,54 +85471,67 @@ index 0000000..f465ac5
+
+.SH "SEE ALSO"
+selinux(8), squid_cron(8), semanage(8), restorecon(8), chcon(1)
-+, squid_selinux(8)
++, squid_selinux(8), squid_selinux(8)
\ No newline at end of file
diff --git a/man/man8/squid_selinux.8 b/man/man8/squid_selinux.8
new file mode 100644
-index 0000000..3fbcfea
+index 0000000..7fbe24e
--- /dev/null
+++ b/man/man8/squid_selinux.8
-@@ -0,0 +1,299 @@
+@@ -0,0 +1,310 @@
+.TH "squid_selinux" "8" "squid" "dwalsh at redhat.com" "squid SELinux Policy documentation"
+.SH "NAME"
+squid_selinux \- Security Enhanced Linux Policy for the squid processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the squid processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the squid processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. squid policy is extremely flexible and has several booleans that allow you to manipulate the policy and run squid with the tightest access possible.
++The squid processes execute with the squid_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow squid to run as a transparent proxy (TPROXY), you must turn on the squid_use_tproxy boolean.
++.B ps -eZ | grep squid_t
+
-+.EX
-+.B setsebool -P squid_use_tproxy 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The squid_t SELinux type can be entered via the "squid_exec_t" file type. The default entrypoint paths for the squid_t domain are the following:"
++
++/usr/sbin/squid
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the squid_connect_any boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible.
++.PP
++The following process types are defined for squid:
+
+.EX
-+.B setsebool -P squid_connect_any 1
++.B squid_t, squid_cron_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. squid policy is extremely flexible and has several booleans that allow you to manipulate the policy and run squid with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the squid_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow squid to run as a transparent proxy (TPROXY), you must turn on the squid_use_tproxy boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P squid_use_tproxy 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the squid_t, you must turn on the kerberos_enabled boolean.
++If you want to allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the squid_connect_any boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P squid_connect_any 1
+.EE
+
+.SH FILE CONTEXTS
@@ -79234,27 +85661,9 @@ index 0000000..3fbcfea
+.EE
+udp 3401,4827
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible.
-+.PP
-+The following process types are defined for squid:
-+
-+.EX
-+.B squid_t, squid_cron_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type squid_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type squid_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -79338,6 +85747,22 @@ index 0000000..3fbcfea
+ /var/run/squid\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the squid_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the squid_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -79367,19 +85792,46 @@ index 0000000..3fbcfea
\ No newline at end of file
diff --git a/man/man8/srvsvcd_selinux.8 b/man/man8/srvsvcd_selinux.8
new file mode 100644
-index 0000000..0bdd4d8
+index 0000000..f911e32
--- /dev/null
+++ b/man/man8/srvsvcd_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,122 @@
+.TH "srvsvcd_selinux" "8" "srvsvcd" "dwalsh at redhat.com" "srvsvcd SELinux Policy documentation"
+.SH "NAME"
+srvsvcd_selinux \- Security Enhanced Linux Policy for the srvsvcd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the srvsvcd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the srvsvcd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The srvsvcd processes execute with the srvsvcd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep srvsvcd_t
++
++
++.SH "ENTRYPOINTS"
++
++The srvsvcd_t SELinux type can be entered via the "srvsvcd_exec_t" file type. The default entrypoint paths for the srvsvcd_t domain are the following:"
++
++/usr/sbin/srvsvcd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux srvsvcd policy is very flexible allowing users to setup their srvsvcd processes in as secure a method as possible.
++.PP
++The following process types are defined for srvsvcd:
++
++.EX
++.B srvsvcd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -79431,27 +85883,9 @@ index 0000000..0bdd4d8
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux srvsvcd policy is very flexible allowing users to setup their srvsvcd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for srvsvcd:
-+
-+.EX
-+.B srvsvcd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type srvsvcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type srvsvcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B srvsvcd_var_lib_t
@@ -79463,6 +85897,8 @@ index 0000000..0bdd4d8
+ /var/run/srvsvcd.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -79484,33 +85920,46 @@ index 0000000..0bdd4d8
+selinux(8), srvsvcd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ssh_keygen_selinux.8 b/man/man8/ssh_keygen_selinux.8
new file mode 100644
-index 0000000..20dbef6
+index 0000000..218aff7
--- /dev/null
+++ b/man/man8/ssh_keygen_selinux.8
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,151 @@
+.TH "ssh_keygen_selinux" "8" "ssh_keygen" "dwalsh at redhat.com" "ssh_keygen SELinux Policy documentation"
+.SH "NAME"
+ssh_keygen_selinux \- Security Enhanced Linux Policy for the ssh_keygen processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ssh_keygen processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ssh_keygen processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ssh_keygen processes execute with the ssh_keygen_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep ssh_keygen_t
+
++
++.SH "ENTRYPOINTS"
++
++The ssh_keygen_t SELinux type can be entered via the "ssh_keygen_exec_t" file type. The default entrypoint paths for the ssh_keygen_t domain are the following:"
++
++/usr/bin/ssh-keygen
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the ssh_keygen_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ssh_keygen policy is very flexible allowing users to setup their ssh_keygen processes in as secure a method as possible.
++.PP
++The following process types are defined for ssh_keygen:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B ssh_keygen_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -79538,27 +85987,9 @@ index 0000000..20dbef6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ssh_keygen policy is very flexible allowing users to setup their ssh_keygen processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ssh_keygen:
-+
-+.EX
-+.B ssh_keygen_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ssh_keygen_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ssh_keygen_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ssh_home_t
@@ -79581,6 +86012,14 @@ index 0000000..20dbef6
+.br
+ /home/[^/]*/\.shosts
+.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
+
+.br
+.B sshd_key_t
@@ -79600,6 +86039,22 @@ index 0000000..20dbef6
+ /etc/ssh/ssh_host_rsa_key
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -79619,21 +86074,50 @@ index 0000000..20dbef6
+
+.SH "SEE ALSO"
+selinux(8), ssh_keygen(8), semanage(8), restorecon(8), chcon(1)
-+, ssh_selinux(8)
++, ssh_selinux(8), ssh_selinux(8), ssh_keysign_selinux(8), sshd_selinux(8)
\ No newline at end of file
diff --git a/man/man8/ssh_keysign_selinux.8 b/man/man8/ssh_keysign_selinux.8
new file mode 100644
-index 0000000..931ff5a
+index 0000000..bf2202b
--- /dev/null
+++ b/man/man8/ssh_keysign_selinux.8
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,103 @@
+.TH "ssh_keysign_selinux" "8" "ssh_keysign" "dwalsh at redhat.com" "ssh_keysign SELinux Policy documentation"
+.SH "NAME"
+ssh_keysign_selinux \- Security Enhanced Linux Policy for the ssh_keysign processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ssh_keysign processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ssh_keysign processes via flexible mandatory access control.
++
++The ssh_keysign processes execute with the ssh_keysign_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ssh_keysign_t
++
++
++.SH "ENTRYPOINTS"
++
++The ssh_keysign_t SELinux type can be entered via the "ssh_keysign_exec_t" file type. The default entrypoint paths for the ssh_keysign_t domain are the following:"
++
++/usr/libexec/openssh/ssh-keysign
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ssh_keysign policy is very flexible allowing users to setup their ssh_keysign processes in as secure a method as possible.
++.PP
++The following process types are defined for ssh_keysign:
++
++.EX
++.B ssh_keysign_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. ssh_keysign policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh_keysign with the tightest access possible.
@@ -79646,8 +86130,6 @@ index 0000000..931ff5a
+.B setsebool -P ssh_keysign 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -79674,27 +86156,11 @@ index 0000000..931ff5a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ssh_keysign policy is very flexible allowing users to setup their ssh_keysign processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ssh_keysign:
-+
-+.EX
-+.B ssh_keysign_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ssh_keysign_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ssh_keysign_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -79718,21 +86184,50 @@ index 0000000..931ff5a
+
+.SH "SEE ALSO"
+selinux(8), ssh_keysign(8), semanage(8), restorecon(8), chcon(1)
-+, setsebool(8), ssh_selinux(8)
++, setsebool(8), ssh_selinux(8), ssh_selinux(8), ssh_keygen_selinux(8), sshd_selinux(8)
\ No newline at end of file
diff --git a/man/man8/ssh_selinux.8 b/man/man8/ssh_selinux.8
new file mode 100644
-index 0000000..7c35616
+index 0000000..05959fb
--- /dev/null
+++ b/man/man8/ssh_selinux.8
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,359 @@
+.TH "ssh_selinux" "8" "ssh" "dwalsh at redhat.com" "ssh SELinux Policy documentation"
+.SH "NAME"
+ssh_selinux \- Security Enhanced Linux Policy for the ssh processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ssh processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ssh processes via flexible mandatory access control.
++
++The ssh processes execute with the ssh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ssh_t
++
++
++.SH "ENTRYPOINTS"
++
++The ssh_t SELinux type can be entered via the "ssh_exec_t" file type. The default entrypoint paths for the ssh_t domain are the following:"
++
++/usr/bin/ssh
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible.
++.PP
++The following process types are defined for ssh:
++
++.EX
++.B sshd_sandbox_t, ssh_keysign_t, ssh_keygen_t, ssh_t, sshd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh with the tightest access possible.
@@ -79773,22 +86268,6 @@ index 0000000..7c35616
+.B setsebool -P fenced_can_ssh 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -79946,27 +86425,9 @@ index 0000000..7c35616
+Default Defined Ports:
+tcp 22
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ssh:
-+
-+.EX
-+.B sshd_sandbox_t, ssh_keysign_t, ssh_keygen_t, ssh_t, sshd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ssh_home_t
@@ -79989,6 +86450,14 @@ index 0000000..7c35616
+.br
+ /home/[^/]*/\.shosts
+.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
+
+.br
+.B ssh_tmpfs_t
@@ -80009,6 +86478,18 @@ index 0000000..7c35616
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_tmp_t
@@ -80017,6 +86498,10 @@ index 0000000..7c35616
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
+
+.br
+.B user_tmp_type
@@ -80024,6 +86509,22 @@ index 0000000..7c35616
+ all user tmp files
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -80053,17 +86554,46 @@ index 0000000..7c35616
\ No newline at end of file
diff --git a/man/man8/sshd_selinux.8 b/man/man8/sshd_selinux.8
new file mode 100644
-index 0000000..6389ad9
+index 0000000..922fe19
--- /dev/null
+++ b/man/man8/sshd_selinux.8
-@@ -0,0 +1,426 @@
+@@ -0,0 +1,457 @@
+.TH "sshd_selinux" "8" "sshd" "dwalsh at redhat.com" "sshd SELinux Policy documentation"
+.SH "NAME"
+sshd_selinux \- Security Enhanced Linux Policy for the sshd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sshd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sshd processes via flexible mandatory access control.
++
++The sshd processes execute with the sshd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep sshd_t
++
++
++.SH "ENTRYPOINTS"
++
++The sshd_t SELinux type can be entered via the "sshd_exec_t" file type. The default entrypoint paths for the sshd_t domain are the following:"
++
++/usr/sbin/sshd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible.
++.PP
++The following process types are defined for sshd:
++
++.EX
++.B sshd_sandbox_t, ssh_keysign_t, ssh_keygen_t, ssh_t, sshd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. sshd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sshd with the tightest access possible.
@@ -80104,22 +86634,6 @@ index 0000000..6389ad9
+.B setsebool -P fenced_can_ssh 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -80217,27 +86731,9 @@ index 0000000..6389ad9
+Default Defined Ports:
+tcp 22
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sshd:
-+
-+.EX
-+.B sshd_sandbox_t, ssh_keysign_t, ssh_keygen_t, ssh_t, sshd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sshd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sshd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auth_cache_t
@@ -80256,6 +86752,14 @@ index 0000000..6389ad9
+.br
+ /home/[^/]*/\.google_authenticator~
+.br
++ /home/dwalsh/\.google_authenticator
++.br
++ /home/dwalsh/\.google_authenticator~
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator~
++.br
+
+.br
+.B cgroup_t
@@ -80396,6 +86900,14 @@ index 0000000..6389ad9
+.br
+ /home/[^/]*/\.shosts
+.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
+
+.br
+.B sshd_tmpfs_t
@@ -80424,6 +86936,10 @@ index 0000000..6389ad9
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
+
+.br
+.B user_tmp_type
@@ -80457,6 +86973,22 @@ index 0000000..6389ad9
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -80486,33 +87018,46 @@ index 0000000..6389ad9
\ No newline at end of file
diff --git a/man/man8/sssd_selinux.8 b/man/man8/sssd_selinux.8
new file mode 100644
-index 0000000..b685521
+index 0000000..cace1ad
--- /dev/null
+++ b/man/man8/sssd_selinux.8
-@@ -0,0 +1,241 @@
+@@ -0,0 +1,252 @@
+.TH "sssd_selinux" "8" "sssd" "dwalsh at redhat.com" "sssd SELinux Policy documentation"
+.SH "NAME"
+sssd_selinux \- Security Enhanced Linux Policy for the sssd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sssd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sssd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sssd processes execute with the sssd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep sssd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The sssd_t SELinux type can be entered via the "sssd_exec_t" file type. The default entrypoint paths for the sssd_t domain are the following:"
++
++/usr/sbin/sssd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the sssd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sssd policy is very flexible allowing users to setup their sssd processes in as secure a method as possible.
++.PP
++The following process types are defined for sssd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B sssd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -80592,27 +87137,9 @@ index 0000000..b685521
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sssd policy is very flexible allowing users to setup their sssd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sssd:
-+
-+.EX
-+.B sssd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sssd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sssd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auth_cache_t
@@ -80712,6 +87239,22 @@ index 0000000..b685521
+ all user tmp files
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sssd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -80733,10 +87276,10 @@ index 0000000..b685521
+selinux(8), sssd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/staff_selinux.8 b/man/man8/staff_selinux.8
new file mode 100644
-index 0000000..136be75
+index 0000000..f1f1523
--- /dev/null
+++ b/man/man8/staff_selinux.8
-@@ -0,0 +1,506 @@
+@@ -0,0 +1,574 @@
+.TH "staff_selinux" "8" "staff" "mgrepl at redhat.com" "staff SELinux Policy documentation"
+.SH "NAME"
+staff_u \- \fBAdministrator's unprivileged user\fP - Security Enhanced Linux Policy
@@ -80976,7 +87519,7 @@ index 0000000..136be75
+
+.SH "MANAGED FILES"
+
-+The SELinux user type staff_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type staff_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -81021,24 +87564,40 @@ index 0000000..136be75
+
+ /home/[^/]*/\.gnupg/log-socket
+.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
+
+.br
+.B httpd_user_content_t
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
++.br
+
+.br
+.B httpd_user_htaccess_t
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
+
+.br
+.B httpd_user_ra_content_t
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
+
+.br
+.B httpd_user_rw_content_t
@@ -81049,6 +87608,10 @@ index 0000000..136be75
+
+ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
+
+.br
+.B iceauth_home_t
@@ -81061,6 +87624,14 @@ index 0000000..136be75
+.br
+ /home/[^/]*/\.ICEauthority.*
+.br
++ /home/dwalsh/\.DCOP.*
++.br
++ /home/dwalsh/\.ICEauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.DCOP.*
++.br
++ /var/lib/xguest/home/xguest/\.ICEauthority.*
++.br
+
+.br
+.B mail_spool_t
@@ -81109,6 +87680,14 @@ index 0000000..136be75
+.br
+ /home/[^/]*/\.screenrc
+.br
++ /home/dwalsh/\.screen(/.*)?
++.br
++ /home/dwalsh/\.screenrc
++.br
++ /var/lib/xguest/home/xguest/\.screen(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.screenrc
++.br
+
+.br
+.B security_t
@@ -81143,6 +87722,18 @@ index 0000000..136be75
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_fonts_t
@@ -81153,6 +87744,10 @@ index 0000000..136be75
+.br
+ /home/[^/]*/\.fonts(/.*)?
+.br
++ /home/dwalsh/\.fonts(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts(/.*)?
++.br
+
+.br
+.B user_home_type
@@ -81205,6 +87800,22 @@ index 0000000..136be75
+.br
+ /home/[^/]*/\.Xauthority.*
+.br
++ /home/dwalsh/\.xauth.*
++.br
++ /home/dwalsh/\.Xauth.*
++.br
++ /home/dwalsh/\.serverauth.*
++.br
++ /home/dwalsh/\.Xauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.serverauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauthority.*
++.br
+
+.br
+.B xdm_tmp_t
@@ -81246,33 +87857,46 @@ index 0000000..136be75
\ No newline at end of file
diff --git a/man/man8/stapserver_selinux.8 b/man/man8/stapserver_selinux.8
new file mode 100644
-index 0000000..8836267
+index 0000000..296ab8b
--- /dev/null
+++ b/man/man8/stapserver_selinux.8
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,144 @@
+.TH "stapserver_selinux" "8" "stapserver" "dwalsh at redhat.com" "stapserver SELinux Policy documentation"
+.SH "NAME"
+stapserver_selinux \- Security Enhanced Linux Policy for the stapserver processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the stapserver processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the stapserver processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The stapserver processes execute with the stapserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stapserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep stapserver_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The stapserver_t SELinux type can be entered via the "stapserver_exec_t" file type. The default entrypoint paths for the stapserver_t domain are the following:"
++
++/usr/bin/stap-server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the stapserver_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux stapserver policy is very flexible allowing users to setup their stapserver processes in as secure a method as possible.
++.PP
++The following process types are defined for stapserver:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B stapserver_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -81324,27 +87948,9 @@ index 0000000..8836267
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux stapserver policy is very flexible allowing users to setup their stapserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for stapserver:
-+
-+.EX
-+.B stapserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type stapserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type stapserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B stapserver_log_t
@@ -81364,6 +87970,22 @@ index 0000000..8836267
+ /var/run/stap-server(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stapserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the stapserver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -81385,33 +88007,46 @@ index 0000000..8836267
+selinux(8), stapserver(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/stunnel_selinux.8 b/man/man8/stunnel_selinux.8
new file mode 100644
-index 0000000..120490d
+index 0000000..1e88acd
--- /dev/null
+++ b/man/man8/stunnel_selinux.8
-@@ -0,0 +1,151 @@
+@@ -0,0 +1,162 @@
+.TH "stunnel_selinux" "8" "stunnel" "dwalsh at redhat.com" "stunnel SELinux Policy documentation"
+.SH "NAME"
+stunnel_selinux \- Security Enhanced Linux Policy for the stunnel processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the stunnel processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the stunnel processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The stunnel processes execute with the stunnel_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stunnel_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep stunnel_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The stunnel_t SELinux type can be entered via the "stunnel_exec_t" file type. The default entrypoint paths for the stunnel_t domain are the following:"
++
++/usr/sbin/stunnel, /usr/bin/stunnel
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the stunnel_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible.
++.PP
++The following process types are defined for stunnel:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B stunnel_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -81486,27 +88121,9 @@ index 0000000..120490d
+.TP 10
+.EE
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible.
-+.PP
-+The following process types are defined for stunnel:
-+
-+.EX
-+.B stunnel_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type stunnel_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type stunnel_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B stunnel_tmp_t
@@ -81518,6 +88135,22 @@ index 0000000..120490d
+ /var/run/stunnel(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stunnel_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the stunnel_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -81542,33 +88175,46 @@ index 0000000..120490d
+selinux(8), stunnel(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/sulogin_selinux.8 b/man/man8/sulogin_selinux.8
new file mode 100644
-index 0000000..915dc79
+index 0000000..33d3718
--- /dev/null
+++ b/man/man8/sulogin_selinux.8
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,112 @@
+.TH "sulogin_selinux" "8" "sulogin" "dwalsh at redhat.com" "sulogin SELinux Policy documentation"
+.SH "NAME"
+sulogin_selinux \- Security Enhanced Linux Policy for the sulogin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sulogin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sulogin processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sulogin processes execute with the sulogin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sulogin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep sulogin_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The sulogin_t SELinux type can be entered via the "sulogin_exec_t" file type. The default entrypoint paths for the sulogin_t domain are the following:"
++
++/usr/sbin/sushell, /sbin/sulogin, /usr/sbin/sulogin, /sbin/sushell
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the sulogin_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sulogin policy is very flexible allowing users to setup their sulogin processes in as secure a method as possible.
++.PP
++The following process types are defined for sulogin:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B sulogin_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -81600,27 +88246,9 @@ index 0000000..915dc79
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sulogin policy is very flexible allowing users to setup their sulogin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sulogin:
-+
-+.EX
-+.B sulogin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sulogin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sulogin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B security_t
@@ -81628,6 +88256,22 @@ index 0000000..915dc79
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sulogin_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sulogin_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -81649,19 +88293,46 @@ index 0000000..915dc79
+selinux(8), sulogin(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/svc_multilog_selinux.8 b/man/man8/svc_multilog_selinux.8
new file mode 100644
-index 0000000..4c3b5f0
+index 0000000..0fd43da
--- /dev/null
+++ b/man/man8/svc_multilog_selinux.8
-@@ -0,0 +1,145 @@
+@@ -0,0 +1,157 @@
+.TH "svc_multilog_selinux" "8" "svc_multilog" "dwalsh at redhat.com" "svc_multilog SELinux Policy documentation"
+.SH "NAME"
+svc_multilog_selinux \- Security Enhanced Linux Policy for the svc_multilog processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the svc_multilog processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the svc_multilog processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The svc_multilog processes execute with the svc_multilog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep svc_multilog_t
++
++
++.SH "ENTRYPOINTS"
++
++The svc_multilog_t SELinux type can be entered via the "svc_multilog_exec_t" file type. The default entrypoint paths for the svc_multilog_t domain are the following:"
++
++/usr/bin/multilog
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux svc_multilog policy is very flexible allowing users to setup their svc_multilog processes in as secure a method as possible.
++.PP
++The following process types are defined for svc_multilog:
++
++.EX
++.B svc_multilog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -81689,27 +88360,9 @@ index 0000000..4c3b5f0
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux svc_multilog policy is very flexible allowing users to setup their svc_multilog processes in as secure a method as possible.
-+.PP
-+The following process types are defined for svc_multilog:
-+
-+.EX
-+.B svc_multilog_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type svc_multilog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type svc_multilog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B svc_svc_t
@@ -81779,6 +88432,8 @@ index 0000000..4c3b5f0
+ /var/spool/plymouth/boot\.log
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -81798,21 +88453,50 @@ index 0000000..4c3b5f0
+
+.SH "SEE ALSO"
+selinux(8), svc_multilog(8), semanage(8), restorecon(8), chcon(1)
++, svc_run_selinux(8), svc_start_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/svc_run_selinux.8 b/man/man8/svc_run_selinux.8
new file mode 100644
-index 0000000..9a57aee
+index 0000000..dd025cb
--- /dev/null
+++ b/man/man8/svc_run_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,93 @@
+.TH "svc_run_selinux" "8" "svc_run" "dwalsh at redhat.com" "svc_run SELinux Policy documentation"
+.SH "NAME"
+svc_run_selinux \- Security Enhanced Linux Policy for the svc_run processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the svc_run processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the svc_run processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The svc_run processes execute with the svc_run_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep svc_run_t
++
++
++.SH "ENTRYPOINTS"
++
++The svc_run_t SELinux type can be entered via the "svc_run_exec_t" file type. The default entrypoint paths for the svc_run_t domain are the following:"
++
++/var/tinydns/run, /var/dnscache/log/run, /var/qmail/supervise/.*/run, /var/axfrdns/log/run, /usr/bin/setuidgid, /usr/bin/fghack, /var/tinydns/log/run, /var/service/.*/log/run, /var/axfrdns/run, /var/qmail/supervise/.*/log/run, /usr/bin/envuidgid, /usr/bin/envdir, /var/dnscache/run, /usr/bin/softlimit, /var/service/.*/run.*, /usr/bin/pgrphack, /usr/bin/setlock
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux svc_run policy is very flexible allowing users to setup their svc_run processes in as secure a method as possible.
++.PP
++The following process types are defined for svc_run:
++
++.EX
++.B svc_run_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -81844,27 +88528,11 @@ index 0000000..9a57aee
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux svc_run policy is very flexible allowing users to setup their svc_run processes in as secure a method as possible.
-+.PP
-+The following process types are defined for svc_run:
-+
-+.EX
-+.B svc_run_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type svc_run_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type svc_run_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -81885,21 +88553,50 @@ index 0000000..9a57aee
+
+.SH "SEE ALSO"
+selinux(8), svc_run(8), semanage(8), restorecon(8), chcon(1)
++, svc_multilog_selinux(8), svc_start_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/svc_start_selinux.8 b/man/man8/svc_start_selinux.8
new file mode 100644
-index 0000000..8ce23b1
+index 0000000..be0ca5c
--- /dev/null
+++ b/man/man8/svc_start_selinux.8
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,111 @@
+.TH "svc_start_selinux" "8" "svc_start" "dwalsh at redhat.com" "svc_start SELinux Policy documentation"
+.SH "NAME"
+svc_start_selinux \- Security Enhanced Linux Policy for the svc_start processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the svc_start processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the svc_start processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The svc_start processes execute with the svc_start_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep svc_start_t
++
++
++.SH "ENTRYPOINTS"
++
++The svc_start_t SELinux type can be entered via the "svc_start_exec_t" file type. The default entrypoint paths for the svc_start_t domain are the following:"
++
++/usr/bin/svok, /usr/bin/svscan, /usr/bin/svc, /usr/bin/svscanboot, /usr/bin/supervise
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux svc_start policy is very flexible allowing users to setup their svc_start processes in as secure a method as possible.
++.PP
++The following process types are defined for svc_start:
++
++.EX
++.B svc_start_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -81931,27 +88628,9 @@ index 0000000..8ce23b1
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux svc_start policy is very flexible allowing users to setup their svc_start processes in as secure a method as possible.
-+.PP
-+The following process types are defined for svc_start:
-+
-+.EX
-+.B svc_start_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type svc_start_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type svc_start_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B svc_svc_t
@@ -81971,6 +88650,8 @@ index 0000000..8ce23b1
+ /service
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -81990,21 +88671,50 @@ index 0000000..8ce23b1
+
+.SH "SEE ALSO"
+selinux(8), svc_start(8), semanage(8), restorecon(8), chcon(1)
++, svc_multilog_selinux(8), svc_run_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/svnserve_selinux.8 b/man/man8/svnserve_selinux.8
new file mode 100644
-index 0000000..3328dcb
+index 0000000..70bd027
--- /dev/null
+++ b/man/man8/svnserve_selinux.8
-@@ -0,0 +1,137 @@
+@@ -0,0 +1,148 @@
+.TH "svnserve_selinux" "8" "svnserve" "dwalsh at redhat.com" "svnserve SELinux Policy documentation"
+.SH "NAME"
+svnserve_selinux \- Security Enhanced Linux Policy for the svnserve processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the svnserve processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the svnserve processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The svnserve processes execute with the svnserve_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep svnserve_t
++
++
++.SH "ENTRYPOINTS"
++
++The svnserve_t SELinux type can be entered via the "svnserve_exec_t" file type. The default entrypoint paths for the svnserve_t domain are the following:"
++
++/usr/bin/svnserve
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux svnserve policy is very flexible allowing users to setup their svnserve processes in as secure a method as possible.
++.PP
++The following process types are defined for svnserve:
++
++.EX
++.B svnserve_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -82076,27 +88786,9 @@ index 0000000..3328dcb
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux svnserve policy is very flexible allowing users to setup their svnserve processes in as secure a method as possible.
-+.PP
-+The following process types are defined for svnserve:
-+
-+.EX
-+.B svnserve_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type svnserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type svnserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B svnserve_content_t
@@ -82114,6 +88806,8 @@ index 0000000..3328dcb
+ /var/run/svnserve(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -82135,33 +88829,46 @@ index 0000000..3328dcb
+selinux(8), svnserve(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/swat_selinux.8 b/man/man8/swat_selinux.8
new file mode 100644
-index 0000000..fc8dec4
+index 0000000..46a0fbb
--- /dev/null
+++ b/man/man8/swat_selinux.8
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,212 @@
+.TH "swat_selinux" "8" "swat" "dwalsh at redhat.com" "swat SELinux Policy documentation"
+.SH "NAME"
+swat_selinux \- Security Enhanced Linux Policy for the swat processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the swat processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the swat processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The swat processes execute with the swat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the swat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep swat_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The swat_t SELinux type can be entered via the "swat_exec_t" file type. The default entrypoint paths for the swat_t domain are the following:"
++
++/usr/sbin/swat
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the swat_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible.
++.PP
++The following process types are defined for swat:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B swat_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -82228,27 +88935,9 @@ index 0000000..fc8dec4
+Default Defined Ports:
+tcp 901
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible.
-+.PP
-+The following process types are defined for swat:
-+
-+.EX
-+.B swat_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type swat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type swat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -82318,6 +89007,22 @@ index 0000000..fc8dec4
+.B swat_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the swat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the swat_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -82342,10 +89047,10 @@ index 0000000..fc8dec4
+selinux(8), swat(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/sysadm_selinux.8 b/man/man8/sysadm_selinux.8
new file mode 100644
-index 0000000..da9fe7c
+index 0000000..f5b5bf8
--- /dev/null
+++ b/man/man8/sysadm_selinux.8
-@@ -0,0 +1,462 @@
+@@ -0,0 +1,514 @@
+.TH "sysadm_selinux" "8" "sysadm" "mgrepl at redhat.com" "sysadm SELinux Policy documentation"
+.SH "NAME"
+sysadm_u \- \fBGeneral system administration role\fP - Security Enhanced Linux Policy
@@ -82487,12 +89192,12 @@ index 0000000..da9fe7c
+.TP
+The SELinux user sysadm_u is able to listen on the following udp ports.
+
++.B ephemeral_port_t: 32768-61000
++
+.B all ports with out defined types
+
+.B ntp_port_t: 123
+
-+.B ephemeral_port_t: 32768-61000
-+
+.TP
+The SELinux user sysadm_u is able to connect to the following tcp ports.
+
@@ -82545,7 +89250,7 @@ index 0000000..da9fe7c
+
+.SH "MANAGED FILES"
+
-+The SELinux user type sysadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sysadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auditd_etc_t
@@ -82630,6 +89335,14 @@ index 0000000..da9fe7c
+.br
+ /home/[^/]*/\.ICEauthority.*
+.br
++ /home/dwalsh/\.DCOP.*
++.br
++ /home/dwalsh/\.ICEauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.DCOP.*
++.br
++ /var/lib/xguest/home/xguest/\.ICEauthority.*
++.br
+
+.br
+.B krb5_host_rcache_t
@@ -82682,6 +89395,14 @@ index 0000000..da9fe7c
+.br
+ /home/[^/]*/\.screenrc
+.br
++ /home/dwalsh/\.screen(/.*)?
++.br
++ /home/dwalsh/\.screenrc
++.br
++ /var/lib/xguest/home/xguest/\.screen(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.screenrc
++.br
+
+.br
+.B sysctl_type
@@ -82718,6 +89439,18 @@ index 0000000..da9fe7c
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_fonts_t
@@ -82728,12 +89461,20 @@ index 0000000..da9fe7c
+.br
+ /home/[^/]*/\.fonts(/.*)?
+.br
++ /home/dwalsh/\.fonts(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts(/.*)?
++.br
+
+.br
+.B user_home_t
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
+
+.br
+.B user_home_type
@@ -82780,6 +89521,22 @@ index 0000000..da9fe7c
+.br
+ /home/[^/]*/\.Xauthority.*
+.br
++ /home/dwalsh/\.xauth.*
++.br
++ /home/dwalsh/\.Xauth.*
++.br
++ /home/dwalsh/\.serverauth.*
++.br
++ /home/dwalsh/\.Xauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.serverauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauthority.*
++.br
+
+.br
+.B xserver_tmpfs_t
@@ -82811,50 +89568,63 @@ index 0000000..da9fe7c
\ No newline at end of file
diff --git a/man/man8/syslogd_selinux.8 b/man/man8/syslogd_selinux.8
new file mode 100644
-index 0000000..ad5876d
+index 0000000..d90c6a8
--- /dev/null
+++ b/man/man8/syslogd_selinux.8
-@@ -0,0 +1,223 @@
+@@ -0,0 +1,234 @@
+.TH "syslogd_selinux" "8" "syslogd" "dwalsh at redhat.com" "syslogd SELinux Policy documentation"
+.SH "NAME"
+syslogd_selinux \- Security Enhanced Linux Policy for the syslogd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the syslogd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the syslogd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. syslogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run syslogd with the tightest access possible.
++The syslogd processes execute with the syslogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow syslogd the ability to read/write terminals, you must turn on the logging_syslogd_use_tty boolean.
++.B ps -eZ | grep syslogd_t
+
-+.EX
-+.B setsebool -P logging_syslogd_use_tty 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The syslogd_t SELinux type can be entered via the "syslogd_exec_t" file type. The default entrypoint paths for the syslogd_t domain are the following:"
++
++/usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/sbin/metalog, /usr/lib/systemd/systemd-journald, /usr/sbin/syslogd, /usr/sbin/minilogd, /sbin/rsyslogd, /usr/lib/systemd/systemd-kmsg-syslogd, /sbin/syslogd, /sbin/syslog-ng, /sbin/minilogd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible.
++.PP
++The following process types are defined for syslogd:
+
+.EX
-+.B setsebool -P logging_syslogd_can_sendmail 1
++.B syslogd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. syslogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run syslogd with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the syslogd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow syslogd the ability to read/write terminals, you must turn on the logging_syslogd_use_tty boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P logging_syslogd_use_tty 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the syslogd_t, you must turn on the kerberos_enabled boolean.
++If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P logging_syslogd_can_sendmail 1
+.EE
+
+.SH FILE CONTEXTS
@@ -82952,27 +89722,9 @@ index 0000000..ad5876d
+.EE
+udp 514,6514
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for syslogd:
-+
-+.EX
-+.B syslogd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type syslogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type syslogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B logfile
@@ -83012,6 +89764,22 @@ index 0000000..ad5876d
+ /var/run/syslogd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the syslogd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the syslogd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -83041,33 +89809,46 @@ index 0000000..ad5876d
\ No newline at end of file
diff --git a/man/man8/sysstat_selinux.8 b/man/man8/sysstat_selinux.8
new file mode 100644
-index 0000000..f98f224
+index 0000000..64b45de
--- /dev/null
+++ b/man/man8/sysstat_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,130 @@
+.TH "sysstat_selinux" "8" "sysstat" "dwalsh at redhat.com" "sysstat SELinux Policy documentation"
+.SH "NAME"
+sysstat_selinux \- Security Enhanced Linux Policy for the sysstat processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the sysstat processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the sysstat processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The sysstat processes execute with the sysstat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sysstat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep sysstat_t
+
++
++.SH "ENTRYPOINTS"
++
++The sysstat_t SELinux type can be entered via the "sysstat_exec_t" file type. The default entrypoint paths for the sysstat_t domain are the following:"
++
++/usr/lib/sa/sa.*, /usr/lib/sysstat/sa.*, /usr/lib/atsar/atsa.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the sysstat_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux sysstat policy is very flexible allowing users to setup their sysstat processes in as secure a method as possible.
++.PP
++The following process types are defined for sysstat:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B sysstat_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -83111,27 +89892,9 @@ index 0000000..f98f224
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux sysstat policy is very flexible allowing users to setup their sysstat processes in as secure a method as possible.
-+.PP
-+The following process types are defined for sysstat:
-+
-+.EX
-+.B sysstat_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type sysstat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type sysstat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sysstat_log_t
@@ -83145,6 +89908,22 @@ index 0000000..f98f224
+ /var/log/sysstat(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sysstat_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the sysstat_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -83166,19 +89945,46 @@ index 0000000..f98f224
+selinux(8), sysstat(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/system_munin_plugin_selinux.8 b/man/man8/system_munin_plugin_selinux.8
new file mode 100644
-index 0000000..3e735d4
+index 0000000..a9bb092
--- /dev/null
+++ b/man/man8/system_munin_plugin_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,117 @@
+.TH "system_munin_plugin_selinux" "8" "system_munin_plugin" "dwalsh at redhat.com" "system_munin_plugin SELinux Policy documentation"
+.SH "NAME"
+system_munin_plugin_selinux \- Security Enhanced Linux Policy for the system_munin_plugin processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the system_munin_plugin processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the system_munin_plugin processes via flexible mandatory access control.
++
++The system_munin_plugin processes execute with the system_munin_plugin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep system_munin_plugin_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The system_munin_plugin_t SELinux type can be entered via the "system_munin_plugin_exec_t" file type. The default entrypoint paths for the system_munin_plugin_t domain are the following:"
++
++/usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux system_munin_plugin policy is very flexible allowing users to setup their system_munin_plugin processes in as secure a method as possible.
++.PP
++The following process types are defined for system_munin_plugin:
++
++.EX
++.B system_munin_plugin_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -83218,27 +90024,9 @@ index 0000000..3e735d4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux system_munin_plugin policy is very flexible allowing users to setup their system_munin_plugin processes in as secure a method as possible.
-+.PP
-+The following process types are defined for system_munin_plugin:
-+
-+.EX
-+.B system_munin_plugin_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type system_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type system_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B munin_plugin_state_t
@@ -83256,6 +90044,8 @@ index 0000000..3e735d4
+.B system_munin_plugin_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -83275,35 +90065,50 @@ index 0000000..3e735d4
+
+.SH "SEE ALSO"
+selinux(8), system_munin_plugin(8), semanage(8), restorecon(8), chcon(1)
++, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/systemd_logger_selinux.8 b/man/man8/systemd_logger_selinux.8
new file mode 100644
-index 0000000..9abc94b
+index 0000000..ae822c51
--- /dev/null
+++ b/man/man8/systemd_logger_selinux.8
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,103 @@
+.TH "systemd_logger_selinux" "8" "systemd_logger" "dwalsh at redhat.com" "systemd_logger SELinux Policy documentation"
+.SH "NAME"
+systemd_logger_selinux \- Security Enhanced Linux Policy for the systemd_logger processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the systemd_logger processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the systemd_logger processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The systemd_logger processes execute with the systemd_logger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep systemd_logger_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The systemd_logger_t SELinux type can be entered via the "systemd_logger_exec_t" file type. The default entrypoint paths for the systemd_logger_t domain are the following:"
++
++/usr/lib/systemd/systemd-logger
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the systemd_logger_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux systemd_logger policy is very flexible allowing users to setup their systemd_logger processes in as secure a method as possible.
++.PP
++The following process types are defined for systemd_logger:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B systemd_logger_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -83331,27 +90136,25 @@ index 0000000..9abc94b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type systemd_logger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux systemd_logger policy is very flexible allowing users to setup their systemd_logger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for systemd_logger:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B systemd_logger_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the systemd_logger_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type systemd_logger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -83372,35 +90175,50 @@ index 0000000..9abc94b
+
+.SH "SEE ALSO"
+selinux(8), systemd_logger(8), semanage(8), restorecon(8), chcon(1)
++, systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/systemd_logind_selinux.8 b/man/man8/systemd_logind_selinux.8
new file mode 100644
-index 0000000..7cf2f53
+index 0000000..652cae2
--- /dev/null
+++ b/man/man8/systemd_logind_selinux.8
-@@ -0,0 +1,211 @@
+@@ -0,0 +1,137 @@
+.TH "systemd_logind_selinux" "8" "systemd_logind" "dwalsh at redhat.com" "systemd_logind SELinux Policy documentation"
+.SH "NAME"
+systemd_logind_selinux \- Security Enhanced Linux Policy for the systemd_logind processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the systemd_logind processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the systemd_logind processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The systemd_logind processes execute with the systemd_logind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_logind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep systemd_logind_t
+
++
++.SH "ENTRYPOINTS"
++
++The systemd_logind_t SELinux type can be entered via the "proc_type,file_type,mtrr_device_t,sysctl_type,filesystem_type,systemd_logind_exec_t,unlabeled_t" file types. The default entrypoint paths for the systemd_logind_t domain are the following:"
++
++/dev/cpu/mtrr, /usr/lib/systemd/systemd-logind
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the systemd_logind_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux systemd_logind policy is very flexible allowing users to setup their systemd_logind processes in as secure a method as possible.
++.PP
++The following process types are defined for systemd_logind:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B systemd_logind_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -83456,119 +90274,31 @@ index 0000000..7cf2f53
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux systemd_logind policy is very flexible allowing users to setup their systemd_logind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for systemd_logind:
-+
-+.EX
-+.B systemd_logind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type systemd_logind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B config_home_t
-+
-+ /root/\.kde(/.*)?
-+.br
-+ /root/\.xine(/.*)?
-+.br
-+ /root/\.config(/.*)?
-+.br
-+ /var/run/user/[^/]*/dconf(/.*)?
-+.br
-+ /root/\.Xdefaults
-+.br
-+ /home/[^/]*/\.kde(/.*)?
-+.br
-+ /home/[^/]*/\.xine(/.*)?
-+.br
-+ /home/[^/]*/\.config(/.*)?
-+.br
-+ /home/[^/]*/\.Xdefaults
-+.br
-+
-+.br
-+.B sysfs_t
-+
-+ /sys(/.*)?
-+.br
-+
-+.br
-+.B systemd_logind_inhibit_var_run_t
-+
-+ /var/run/systemd/inhibit(/.*)?
-+.br
-+
-+.br
-+.B systemd_logind_sessions_t
-+
-+ /var/run/systemd/sessions(/.*)?
-+.br
-+
-+.br
-+.B systemd_logind_var_run_t
++The SELinux process type systemd_logind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
-+ /var/run/systemd/seats(/.*)?
-+.br
-+ /var/run/systemd/users(/.*)?
-+.br
-+ /var/run/nologin
+.br
++.B file_type
+
++ all files on the system
+.br
-+.B udev_rules_t
+
-+ /etc/udev/rules.d(/.*)?
-+.br
++.SH NSSWITCH DOMAIN
+
-+.br
-+.B user_tmp_t
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_logind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
-+ /var/run/user(/.*)?
-+.br
-+ /tmp/gconfd-.*
-+.br
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
+
-+.br
-+.B var_auth_t
++.PP
++If you want to allow confined applications to run with kerberos for the systemd_logind_t, you must turn on the kerberos_enabled boolean.
+
-+ /var/ace(/.*)?
-+.br
-+ /var/rsa(/.*)?
-+.br
-+ /var/lib/abl(/.*)?
-+.br
-+ /var/lib/rsa(/.*)?
-+.br
-+ /var/lib/pam_ssh(/.*)?
-+.br
-+ /var/run/pam_ssh(/.*)?
-+.br
-+ /var/lib/pam_shield(/.*)?
-+.br
-+ /var/lib/google-authenticator(/.*)?
-+.br
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -83589,35 +90319,50 @@ index 0000000..7cf2f53
+
+.SH "SEE ALSO"
+selinux(8), systemd_logind(8), semanage(8), restorecon(8), chcon(1)
++, systemd_logger_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/systemd_notify_selinux.8 b/man/man8/systemd_notify_selinux.8
new file mode 100644
-index 0000000..ed296ff
+index 0000000..5b14284
--- /dev/null
+++ b/man/man8/systemd_notify_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,115 @@
+.TH "systemd_notify_selinux" "8" "systemd_notify" "dwalsh at redhat.com" "systemd_notify SELinux Policy documentation"
+.SH "NAME"
+systemd_notify_selinux \- Security Enhanced Linux Policy for the systemd_notify processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the systemd_notify processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the systemd_notify processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The systemd_notify processes execute with the systemd_notify_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_notify_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep systemd_notify_t
++
++
++.SH "ENTRYPOINTS"
+
++The systemd_notify_t SELinux type can be entered via the "systemd_notify_exec_t" file type. The default entrypoint paths for the systemd_notify_t domain are the following:"
++
++/usr/bin/systemd-notify, /bin/systemd-notify
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the systemd_notify_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux systemd_notify policy is very flexible allowing users to setup their systemd_notify processes in as secure a method as possible.
++.PP
++The following process types are defined for systemd_notify:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B systemd_notify_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -83649,27 +90394,9 @@ index 0000000..ed296ff
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux systemd_notify policy is very flexible allowing users to setup their systemd_notify processes in as secure a method as possible.
-+.PP
-+The following process types are defined for systemd_notify:
-+
-+.EX
-+.B systemd_notify_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type systemd_notify_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type systemd_notify_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B readahead_var_run_t
@@ -83679,6 +90406,22 @@ index 0000000..ed296ff
+ /var/run/systemd/readahead(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_notify_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the systemd_notify_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -83698,35 +90441,50 @@ index 0000000..ed296ff
+
+.SH "SEE ALSO"
+selinux(8), systemd_notify(8), semanage(8), restorecon(8), chcon(1)
++, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/systemd_passwd_agent_selinux.8 b/man/man8/systemd_passwd_agent_selinux.8
new file mode 100644
-index 0000000..7ef8fb2
+index 0000000..f9eeb7e
--- /dev/null
+++ b/man/man8/systemd_passwd_agent_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,115 @@
+.TH "systemd_passwd_agent_selinux" "8" "systemd_passwd_agent" "dwalsh at redhat.com" "systemd_passwd_agent SELinux Policy documentation"
+.SH "NAME"
+systemd_passwd_agent_selinux \- Security Enhanced Linux Policy for the systemd_passwd_agent processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the systemd_passwd_agent processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the systemd_passwd_agent processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The systemd_passwd_agent processes execute with the systemd_passwd_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_passwd_agent_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep systemd_passwd_agent_t
++
++
++.SH "ENTRYPOINTS"
++
++The systemd_passwd_agent_t SELinux type can be entered via the "systemd_passwd_agent_exec_t" file type. The default entrypoint paths for the systemd_passwd_agent_t domain are the following:"
+
++/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-gnome-ask-password-agent, /usr/bin/systemd-tty-ask-password-agent
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the systemd_passwd_agent_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux systemd_passwd_agent policy is very flexible allowing users to setup their systemd_passwd_agent processes in as secure a method as possible.
++.PP
++The following process types are defined for systemd_passwd_agent:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B systemd_passwd_agent_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -83758,27 +90516,9 @@ index 0000000..7ef8fb2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux systemd_passwd_agent policy is very flexible allowing users to setup their systemd_passwd_agent processes in as secure a method as possible.
-+.PP
-+The following process types are defined for systemd_passwd_agent:
-+
-+.EX
-+.B systemd_passwd_agent_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type systemd_passwd_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type systemd_passwd_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B systemd_passwd_var_run_t
@@ -83788,6 +90528,22 @@ index 0000000..7ef8fb2
+ /var/run/systemd/ask-password-block(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_passwd_agent_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the systemd_passwd_agent_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -83807,35 +90563,50 @@ index 0000000..7ef8fb2
+
+.SH "SEE ALSO"
+selinux(8), systemd_passwd_agent(8), semanage(8), restorecon(8), chcon(1)
++, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_tmpfiles_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/systemd_tmpfiles_selinux.8 b/man/man8/systemd_tmpfiles_selinux.8
new file mode 100644
-index 0000000..1cd7d68
+index 0000000..f4aeccc
--- /dev/null
+++ b/man/man8/systemd_tmpfiles_selinux.8
-@@ -0,0 +1,179 @@
+@@ -0,0 +1,191 @@
+.TH "systemd_tmpfiles_selinux" "8" "systemd_tmpfiles" "dwalsh at redhat.com" "systemd_tmpfiles SELinux Policy documentation"
+.SH "NAME"
+systemd_tmpfiles_selinux \- Security Enhanced Linux Policy for the systemd_tmpfiles processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the systemd_tmpfiles processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the systemd_tmpfiles processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The systemd_tmpfiles processes execute with the systemd_tmpfiles_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_tmpfiles_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep systemd_tmpfiles_t
+
++
++.SH "ENTRYPOINTS"
++
++The systemd_tmpfiles_t SELinux type can be entered via the "systemd_tmpfiles_exec_t" file type. The default entrypoint paths for the systemd_tmpfiles_t domain are the following:"
++
++/usr/bin/systemd-tmpfiles, /bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the systemd_tmpfiles_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux systemd_tmpfiles policy is very flexible allowing users to setup their systemd_tmpfiles processes in as secure a method as possible.
++.PP
++The following process types are defined for systemd_tmpfiles:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B systemd_tmpfiles_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -83867,27 +90638,9 @@ index 0000000..1cd7d68
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux systemd_tmpfiles policy is very flexible allowing users to setup their systemd_tmpfiles processes in as secure a method as possible.
-+.PP
-+The following process types are defined for systemd_tmpfiles:
-+
-+.EX
-+.B systemd_tmpfiles_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type systemd_tmpfiles_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type systemd_tmpfiles_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -83973,6 +90726,22 @@ index 0000000..1cd7d68
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_tmpfiles_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the systemd_tmpfiles_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -83992,19 +90761,50 @@ index 0000000..1cd7d68
+
+.SH "SEE ALSO"
+selinux(8), systemd_tmpfiles(8), semanage(8), restorecon(8), chcon(1)
++, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/tcpd_selinux.8 b/man/man8/tcpd_selinux.8
new file mode 100644
-index 0000000..8ac449c
+index 0000000..fbccb45
--- /dev/null
+++ b/man/man8/tcpd_selinux.8
-@@ -0,0 +1,118 @@
+@@ -0,0 +1,129 @@
+.TH "tcpd_selinux" "8" "tcpd" "dwalsh at redhat.com" "tcpd SELinux Policy documentation"
+.SH "NAME"
+tcpd_selinux \- Security Enhanced Linux Policy for the tcpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the tcpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the tcpd processes via flexible mandatory access control.
++
++The tcpd processes execute with the tcpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tcpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The tcpd_t SELinux type can be entered via the "tcpd_exec_t" file type. The default entrypoint paths for the tcpd_t domain are the following:"
++
++/usr/sbin/tcpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible.
++.PP
++The following process types are defined for tcpd:
++
++.EX
++.B tcpd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. tcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tcpd with the tightest access possible.
@@ -84018,21 +90818,19 @@ index 0000000..8ac449c
+.EE
+
+.PP
-+If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean.
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean.
+
+.EX
-+.B setsebool -P daemons_use_tcp_wrapper 1
++.B setsebool -P selinuxuser_tcp_server 1
+.EE
+
+.PP
-+If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the user_tcp_server boolean.
++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean.
+
+.EX
-+.B setsebool -P user_tcp_server 1
++.B setsebool -P daemons_use_tcp_wrapper 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -84067,32 +90865,16 @@ index 0000000..8ac449c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tcpd:
-+
-+.EX
-+.B tcpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B tcpd_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -84119,33 +90901,46 @@ index 0000000..8ac449c
\ No newline at end of file
diff --git a/man/man8/tcsd_selinux.8 b/man/man8/tcsd_selinux.8
new file mode 100644
-index 0000000..3c95130
+index 0000000..10ef7e3
--- /dev/null
+++ b/man/man8/tcsd_selinux.8
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,150 @@
+.TH "tcsd_selinux" "8" "tcsd" "dwalsh at redhat.com" "tcsd SELinux Policy documentation"
+.SH "NAME"
+tcsd_selinux \- Security Enhanced Linux Policy for the tcsd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the tcsd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the tcsd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The tcsd processes execute with the tcsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tcsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep tcsd_t
+
++
++.SH "ENTRYPOINTS"
++
++The tcsd_t SELinux type can be entered via the "tcsd_exec_t" file type. The default entrypoint paths for the tcsd_t domain are the following:"
++
++/usr/sbin/tcsd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the tcsd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible.
++.PP
++The following process types are defined for tcsd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B tcsd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -84212,27 +91007,9 @@ index 0000000..3c95130
+Default Defined Ports:
+tcp 30003
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tcsd:
-+
-+.EX
-+.B tcsd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type tcsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type tcsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B tcsd_var_lib_t
@@ -84240,6 +91017,22 @@ index 0000000..3c95130
+ /var/lib/tpm(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tcsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the tcsd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -84264,33 +91057,46 @@ index 0000000..3c95130
+selinux(8), tcsd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/telepathy_gabble_selinux.8 b/man/man8/telepathy_gabble_selinux.8
new file mode 100644
-index 0000000..d7a0fc7
+index 0000000..9daffb0
--- /dev/null
+++ b/man/man8/telepathy_gabble_selinux.8
-@@ -0,0 +1,147 @@
+@@ -0,0 +1,191 @@
+.TH "telepathy_gabble_selinux" "8" "telepathy_gabble" "dwalsh at redhat.com" "telepathy_gabble SELinux Policy documentation"
+.SH "NAME"
+telepathy_gabble_selinux \- Security Enhanced Linux Policy for the telepathy_gabble processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the telepathy_gabble processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the telepathy_gabble processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The telepathy_gabble processes execute with the telepathy_gabble_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_gabble_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep telepathy_gabble_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_gabble_t SELinux type can be entered via the "telepathy_gabble_exec_t" file type. The default entrypoint paths for the telepathy_gabble_t domain are the following:"
+
++/usr/libexec/telepathy-gabble
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_gabble_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_gabble policy is very flexible allowing users to setup their telepathy_gabble processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_gabble:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B telepathy_gabble_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -84334,27 +91140,9 @@ index 0000000..d7a0fc7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_gabble policy is very flexible allowing users to setup their telepathy_gabble processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_gabble:
-+
-+.EX
-+.B telepathy_gabble_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type telepathy_gabble_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type telepathy_gabble_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cache_home_t
@@ -84365,10 +91153,18 @@ index 0000000..d7a0fc7
+.br
+ /home/[^/]*/\.cache(/.*)?
+.br
-+
++ /home/dwalsh/\.nv(/.*)?
+.br
-+.B config_home_t
-+
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.br
++.B config_home_t
++
+ /root/\.kde(/.*)?
+.br
+ /root/\.xine(/.*)?
@@ -84387,6 +91183,22 @@ index 0000000..d7a0fc7
+.br
+ /home/[^/]*/\.Xdefaults
+.br
++ /home/dwalsh/\.kde(/.*)?
++.br
++ /home/dwalsh/\.xine(/.*)?
++.br
++ /home/dwalsh/\.config(/.*)?
++.br
++ /home/dwalsh/\.Xdefaults
++.br
++ /var/lib/xguest/home/xguest/\.kde(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.xine(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.Xdefaults
++.br
+
+.br
+.B telepathy_gabble_cache_home_t
@@ -84395,6 +91207,30 @@ index 0000000..d7a0fc7
+.br
+ /home/[^/]*/\.cache/telepathy/gabble(/.*)?
+.br
++ /home/dwalsh/\.cache/wocky(/.*)?
++.br
++ /home/dwalsh/\.cache/telepathy/gabble(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/wocky(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/telepathy/gabble(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_gabble_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_gabble_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -84415,35 +91251,50 @@ index 0000000..d7a0fc7
+
+.SH "SEE ALSO"
+selinux(8), telepathy_gabble(8), semanage(8), restorecon(8), chcon(1)
++, telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/telepathy_idle_selinux.8 b/man/man8/telepathy_idle_selinux.8
new file mode 100644
-index 0000000..c81a382
+index 0000000..971c379
--- /dev/null
+++ b/man/man8/telepathy_idle_selinux.8
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,129 @@
+.TH "telepathy_idle_selinux" "8" "telepathy_idle" "dwalsh at redhat.com" "telepathy_idle SELinux Policy documentation"
+.SH "NAME"
+telepathy_idle_selinux \- Security Enhanced Linux Policy for the telepathy_idle processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the telepathy_idle processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the telepathy_idle processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The telepathy_idle processes execute with the telepathy_idle_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_idle_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep telepathy_idle_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_idle_t SELinux type can be entered via the "telepathy_idle_exec_t" file type. The default entrypoint paths for the telepathy_idle_t domain are the following:"
+
++/usr/libexec/telepathy-idle
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_idle_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_idle policy is very flexible allowing users to setup their telepathy_idle processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_idle:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B telepathy_idle_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -84479,27 +91330,9 @@ index 0000000..c81a382
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_idle policy is very flexible allowing users to setup their telepathy_idle processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_idle:
-+
-+.EX
-+.B telepathy_idle_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type telepathy_idle_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type telepathy_idle_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cache_home_t
@@ -84510,6 +91343,30 @@ index 0000000..c81a382
+.br
+ /home/[^/]*/\.cache(/.*)?
+.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_idle_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_idle_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -84530,35 +91387,50 @@ index 0000000..c81a382
+
+.SH "SEE ALSO"
+selinux(8), telepathy_idle(8), semanage(8), restorecon(8), chcon(1)
++, telepathy_gabble_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/telepathy_logger_selinux.8 b/man/man8/telepathy_logger_selinux.8
new file mode 100644
-index 0000000..98b1c16
+index 0000000..d7db537
--- /dev/null
+++ b/man/man8/telepathy_logger_selinux.8
-@@ -0,0 +1,159 @@
+@@ -0,0 +1,203 @@
+.TH "telepathy_logger_selinux" "8" "telepathy_logger" "dwalsh at redhat.com" "telepathy_logger SELinux Policy documentation"
+.SH "NAME"
+telepathy_logger_selinux \- Security Enhanced Linux Policy for the telepathy_logger processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the telepathy_logger processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the telepathy_logger processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The telepathy_logger processes execute with the telepathy_logger_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep telepathy_logger_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The telepathy_logger_t SELinux type can be entered via the "telepathy_logger_exec_t" file type. The default entrypoint paths for the telepathy_logger_t domain are the following:"
++
++/usr/libexec/telepathy-logger
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_logger_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_logger policy is very flexible allowing users to setup their telepathy_logger processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_logger:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B telepathy_logger_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -84610,27 +91482,9 @@ index 0000000..98b1c16
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_logger policy is very flexible allowing users to setup their telepathy_logger processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_logger:
-+
-+.EX
-+.B telepathy_logger_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type telepathy_logger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type telepathy_logger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cache_home_t
@@ -84641,6 +91495,14 @@ index 0000000..98b1c16
+.br
+ /home/[^/]*/\.cache(/.*)?
+.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
+
+.br
+.B config_home_t
@@ -84663,18 +91525,58 @@ index 0000000..98b1c16
+.br
+ /home/[^/]*/\.Xdefaults
+.br
++ /home/dwalsh/\.kde(/.*)?
++.br
++ /home/dwalsh/\.xine(/.*)?
++.br
++ /home/dwalsh/\.config(/.*)?
++.br
++ /home/dwalsh/\.Xdefaults
++.br
++ /var/lib/xguest/home/xguest/\.kde(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.xine(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.Xdefaults
++.br
+
+.br
+.B telepathy_logger_cache_home_t
+
+ /home/[^/]*/\.cache/telepathy/logger(/.*)?
+.br
++ /home/dwalsh/\.cache/telepathy/logger(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/telepathy/logger(/.*)?
++.br
+
+.br
+.B telepathy_logger_data_home_t
+
+ /home/[^/]*/\.local/share/TpLogger(/.*)?
+.br
++ /home/dwalsh/\.local/share/TpLogger(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share/TpLogger(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_logger_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -84695,35 +91597,50 @@ index 0000000..98b1c16
+
+.SH "SEE ALSO"
+selinux(8), telepathy_logger(8), semanage(8), restorecon(8), chcon(1)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/telepathy_mission_control_selinux.8 b/man/man8/telepathy_mission_control_selinux.8
new file mode 100644
-index 0000000..7ecaef1
+index 0000000..5ce02c3
--- /dev/null
+++ b/man/man8/telepathy_mission_control_selinux.8
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,221 @@
+.TH "telepathy_mission_control_selinux" "8" "telepathy_mission_control" "dwalsh at redhat.com" "telepathy_mission_control SELinux Policy documentation"
+.SH "NAME"
+telepathy_mission_control_selinux \- Security Enhanced Linux Policy for the telepathy_mission_control processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the telepathy_mission_control processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the telepathy_mission_control processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The telepathy_mission_control processes execute with the telepathy_mission_control_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_mission_control_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep telepathy_mission_control_t
+
++
++.SH "ENTRYPOINTS"
++
++The telepathy_mission_control_t SELinux type can be entered via the "telepathy_mission_control_exec_t" file type. The default entrypoint paths for the telepathy_mission_control_t domain are the following:"
++
++/usr/libexec/mission-control-5
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_mission_control_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_mission_control policy is very flexible allowing users to setup their telepathy_mission_control processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_mission_control:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B telepathy_mission_control_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -84783,27 +91700,9 @@ index 0000000..7ecaef1
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_mission_control policy is very flexible allowing users to setup their telepathy_mission_control processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_mission_control:
-+
-+.EX
-+.B telepathy_mission_control_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type telepathy_mission_control_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type telepathy_mission_control_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cache_home_t
@@ -84814,6 +91713,14 @@ index 0000000..7ecaef1
+.br
+ /home/[^/]*/\.cache(/.*)?
+.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
+
+.br
+.B config_home_t
@@ -84836,24 +91743,68 @@ index 0000000..7ecaef1
+.br
+ /home/[^/]*/\.Xdefaults
+.br
++ /home/dwalsh/\.kde(/.*)?
++.br
++ /home/dwalsh/\.xine(/.*)?
++.br
++ /home/dwalsh/\.config(/.*)?
++.br
++ /home/dwalsh/\.Xdefaults
++.br
++ /var/lib/xguest/home/xguest/\.kde(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.xine(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.Xdefaults
++.br
+
+.br
+.B telepathy_mission_control_cache_home_t
+
+ /home/[^/]*/\.cache/\.mc_connections
+.br
++ /home/dwalsh/\.cache/\.mc_connections
++.br
++ /var/lib/xguest/home/xguest/\.cache/\.mc_connections
++.br
+
+.br
+.B telepathy_mission_control_data_home_t
+
+ /home/[^/]*/\.local/share/telepathy/mission-control(/.*)?
+.br
++ /home/dwalsh/\.local/share/telepathy/mission-control(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share/telepathy/mission-control(/.*)?
++.br
+
+.br
+.B telepathy_mission_control_home_t
+
+ /home/[^/]*/\.mission-control(/.*)?
+.br
++ /home/dwalsh/\.mission-control(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.mission-control(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_mission_control_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_mission_control_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -84874,35 +91825,50 @@ index 0000000..7ecaef1
+
+.SH "SEE ALSO"
+selinux(8), telepathy_mission_control(8), semanage(8), restorecon(8), chcon(1)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/telepathy_msn_selinux.8 b/man/man8/telepathy_msn_selinux.8
new file mode 100644
-index 0000000..aaa63f6
+index 0000000..31f72d7
--- /dev/null
+++ b/man/man8/telepathy_msn_selinux.8
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,137 @@
+.TH "telepathy_msn_selinux" "8" "telepathy_msn" "dwalsh at redhat.com" "telepathy_msn SELinux Policy documentation"
+.SH "NAME"
+telepathy_msn_selinux \- Security Enhanced Linux Policy for the telepathy_msn processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the telepathy_msn processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the telepathy_msn processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The telepathy_msn processes execute with the telepathy_msn_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_msn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep telepathy_msn_t
+
++
++.SH "ENTRYPOINTS"
++
++The telepathy_msn_t SELinux type can be entered via the "telepathy_msn_exec_t" file type. The default entrypoint paths for the telepathy_msn_t domain are the following:"
++
++/usr/libexec/telepathy-butterfly, /usr/libexec/telepathy-haze
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_msn_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_msn policy is very flexible allowing users to setup their telepathy_msn processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_msn:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B telepathy_msn_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -84942,27 +91908,9 @@ index 0000000..aaa63f6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_msn policy is very flexible allowing users to setup their telepathy_msn processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_msn:
-+
-+.EX
-+.B telepathy_msn_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type telepathy_msn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type telepathy_msn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cache_home_t
@@ -84973,11 +91921,35 @@ index 0000000..aaa63f6
+.br
+ /home/[^/]*/\.cache(/.*)?
+.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
+
+.br
+.B telepathy_msn_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_msn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_msn_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -84997,35 +91969,50 @@ index 0000000..aaa63f6
+
+.SH "SEE ALSO"
+selinux(8), telepathy_msn(8), semanage(8), restorecon(8), chcon(1)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/telepathy_salut_selinux.8 b/man/man8/telepathy_salut_selinux.8
new file mode 100644
-index 0000000..009b622
+index 0000000..99807a4
--- /dev/null
+++ b/man/man8/telepathy_salut_selinux.8
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,129 @@
+.TH "telepathy_salut_selinux" "8" "telepathy_salut" "dwalsh at redhat.com" "telepathy_salut SELinux Policy documentation"
+.SH "NAME"
+telepathy_salut_selinux \- Security Enhanced Linux Policy for the telepathy_salut processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the telepathy_salut processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the telepathy_salut processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The telepathy_salut processes execute with the telepathy_salut_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_salut_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep telepathy_salut_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The telepathy_salut_t SELinux type can be entered via the "telepathy_salut_exec_t" file type. The default entrypoint paths for the telepathy_salut_t domain are the following:"
++
++/usr/libexec/telepathy-salut
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_salut_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_salut policy is very flexible allowing users to setup their telepathy_salut processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_salut:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B telepathy_salut_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -85061,27 +92048,9 @@ index 0000000..009b622
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_salut policy is very flexible allowing users to setup their telepathy_salut processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_salut:
-+
-+.EX
-+.B telepathy_salut_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type telepathy_salut_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type telepathy_salut_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cache_home_t
@@ -85092,6 +92061,30 @@ index 0000000..009b622
+.br
+ /home/[^/]*/\.cache(/.*)?
+.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_salut_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_salut_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -85112,35 +92105,50 @@ index 0000000..009b622
+
+.SH "SEE ALSO"
+selinux(8), telepathy_salut(8), semanage(8), restorecon(8), chcon(1)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/telepathy_sofiasip_selinux.8 b/man/man8/telepathy_sofiasip_selinux.8
new file mode 100644
-index 0000000..2b6a402
+index 0000000..ff0e3cc
--- /dev/null
+++ b/man/man8/telepathy_sofiasip_selinux.8
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,129 @@
+.TH "telepathy_sofiasip_selinux" "8" "telepathy_sofiasip" "dwalsh at redhat.com" "telepathy_sofiasip SELinux Policy documentation"
+.SH "NAME"
+telepathy_sofiasip_selinux \- Security Enhanced Linux Policy for the telepathy_sofiasip processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the telepathy_sofiasip processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the telepathy_sofiasip processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The telepathy_sofiasip processes execute with the telepathy_sofiasip_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_sofiasip_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep telepathy_sofiasip_t
++
++
++.SH "ENTRYPOINTS"
++
++The telepathy_sofiasip_t SELinux type can be entered via the "telepathy_sofiasip_exec_t" file type. The default entrypoint paths for the telepathy_sofiasip_t domain are the following:"
+
++/usr/libexec/telepathy-sofiasip
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_sofiasip_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_sofiasip policy is very flexible allowing users to setup their telepathy_sofiasip processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_sofiasip:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B telepathy_sofiasip_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -85176,27 +92184,9 @@ index 0000000..2b6a402
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_sofiasip policy is very flexible allowing users to setup their telepathy_sofiasip processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_sofiasip:
-+
-+.EX
-+.B telepathy_sofiasip_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type telepathy_sofiasip_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type telepathy_sofiasip_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cache_home_t
@@ -85207,6 +92197,30 @@ index 0000000..2b6a402
+.br
+ /home/[^/]*/\.cache(/.*)?
+.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_sofiasip_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_sofiasip_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -85227,35 +92241,50 @@ index 0000000..2b6a402
+
+.SH "SEE ALSO"
+selinux(8), telepathy_sofiasip(8), semanage(8), restorecon(8), chcon(1)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/telepathy_stream_engine_selinux.8 b/man/man8/telepathy_stream_engine_selinux.8
new file mode 100644
-index 0000000..bc462b2
+index 0000000..692ac39
--- /dev/null
+++ b/man/man8/telepathy_stream_engine_selinux.8
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,129 @@
+.TH "telepathy_stream_engine_selinux" "8" "telepathy_stream_engine" "dwalsh at redhat.com" "telepathy_stream_engine SELinux Policy documentation"
+.SH "NAME"
+telepathy_stream_engine_selinux \- Security Enhanced Linux Policy for the telepathy_stream_engine processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the telepathy_stream_engine processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the telepathy_stream_engine processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The telepathy_stream_engine processes execute with the telepathy_stream_engine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_stream_engine_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep telepathy_stream_engine_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The telepathy_stream_engine_t SELinux type can be entered via the "telepathy_stream_engine_exec_t" file type. The default entrypoint paths for the telepathy_stream_engine_t domain are the following:"
++
++/usr/libexec/telepathy-stream-engine
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_stream_engine_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_stream_engine policy is very flexible allowing users to setup their telepathy_stream_engine processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_stream_engine:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B telepathy_stream_engine_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -85291,27 +92320,9 @@ index 0000000..bc462b2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_stream_engine policy is very flexible allowing users to setup their telepathy_stream_engine processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_stream_engine:
-+
-+.EX
-+.B telepathy_stream_engine_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type telepathy_stream_engine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type telepathy_stream_engine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cache_home_t
@@ -85322,10 +92333,34 @@ index 0000000..bc462b2
+.br
+ /home/[^/]*/\.cache(/.*)?
+.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_stream_engine_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_stream_engine_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
+.PP
+.B semanage permissive
+can also be used to manipulate whether or not a process type is permissive.
@@ -85342,35 +92377,50 @@ index 0000000..bc462b2
+
+.SH "SEE ALSO"
+selinux(8), telepathy_stream_engine(8), semanage(8), restorecon(8), chcon(1)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_sunshine_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/telepathy_sunshine_selinux.8 b/man/man8/telepathy_sunshine_selinux.8
new file mode 100644
-index 0000000..1723c12
+index 0000000..c26b9f1
--- /dev/null
+++ b/man/man8/telepathy_sunshine_selinux.8
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,151 @@
+.TH "telepathy_sunshine_selinux" "8" "telepathy_sunshine" "dwalsh at redhat.com" "telepathy_sunshine SELinux Policy documentation"
+.SH "NAME"
+telepathy_sunshine_selinux \- Security Enhanced Linux Policy for the telepathy_sunshine processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the telepathy_sunshine processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the telepathy_sunshine processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The telepathy_sunshine processes execute with the telepathy_sunshine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_sunshine_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep telepathy_sunshine_t
+
++
++.SH "ENTRYPOINTS"
++
++The telepathy_sunshine_t SELinux type can be entered via the "telepathy_sunshine_exec_t" file type. The default entrypoint paths for the telepathy_sunshine_t domain are the following:"
++
++/usr/libexec/telepathy-sunshine
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the telepathy_sunshine_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telepathy_sunshine policy is very flexible allowing users to setup their telepathy_sunshine processes in as secure a method as possible.
++.PP
++The following process types are defined for telepathy_sunshine:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B telepathy_sunshine_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -85414,27 +92464,9 @@ index 0000000..1723c12
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telepathy_sunshine policy is very flexible allowing users to setup their telepathy_sunshine processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telepathy_sunshine:
-+
-+.EX
-+.B telepathy_sunshine_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type telepathy_sunshine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type telepathy_sunshine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cache_home_t
@@ -85445,17 +92477,45 @@ index 0000000..1723c12
+.br
+ /home/[^/]*/\.cache(/.*)?
+.br
++ /home/dwalsh/\.nv(/.*)?
++.br
++ /home/dwalsh/\.cache(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.nv(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache(/.*)?
++.br
+
+.br
+.B telepathy_sunshine_home_t
+
+ /home/[^/]*/\.telepathy-sunshine(/.*)?
+.br
++ /home/dwalsh/\.telepathy-sunshine(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.telepathy-sunshine(/.*)?
++.br
+
+.br
+.B telepathy_sunshine_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_sunshine_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telepathy_sunshine_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -85475,35 +92535,50 @@ index 0000000..1723c12
+
+.SH "SEE ALSO"
+selinux(8), telepathy_sunshine(8), semanage(8), restorecon(8), chcon(1)
++, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/telnetd_selinux.8 b/man/man8/telnetd_selinux.8
new file mode 100644
-index 0000000..cc1c99b
+index 0000000..767d7d3
--- /dev/null
+++ b/man/man8/telnetd_selinux.8
-@@ -0,0 +1,207 @@
+@@ -0,0 +1,222 @@
+.TH "telnetd_selinux" "8" "telnetd" "dwalsh at redhat.com" "telnetd SELinux Policy documentation"
+.SH "NAME"
+telnetd_selinux \- Security Enhanced Linux Policy for the telnetd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the telnetd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the telnetd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The telnetd processes execute with the telnetd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telnetd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep telnetd_t
+
++
++.SH "ENTRYPOINTS"
++
++The telnetd_t SELinux type can be entered via the "telnetd_exec_t" file type. The default entrypoint paths for the telnetd_t domain are the following:"
++
++/usr/kerberos/sbin/telnetd, /usr/sbin/in\.telnetd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the telnetd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible.
++.PP
++The following process types are defined for telnetd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B telnetd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -85582,27 +92657,9 @@ index 0000000..cc1c99b
+Default Defined Ports:
+tcp 23
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for telnetd:
-+
-+.EX
-+.B telnetd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type telnetd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type telnetd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B initrc_var_run_t
@@ -85659,6 +92716,10 @@ index 0000000..cc1c99b
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
+
+.br
+.B wtmp_t
@@ -85666,6 +92727,22 @@ index 0000000..cc1c99b
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telnetd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the telnetd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -85690,33 +92767,46 @@ index 0000000..cc1c99b
+selinux(8), telnetd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/tftpd_selinux.8 b/man/man8/tftpd_selinux.8
new file mode 100644
-index 0000000..92b31f8
+index 0000000..1181d2e
--- /dev/null
+++ b/man/man8/tftpd_selinux.8
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,204 @@
+.TH "tftpd_selinux" "8" "tftpd" "dwalsh at redhat.com" "tftpd SELinux Policy documentation"
+.SH "NAME"
+tftpd_selinux \- Security Enhanced Linux Policy for the tftpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the tftpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the tftpd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The tftpd processes execute with the tftpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep tftpd_t
++
++
++.SH "ENTRYPOINTS"
++
++The tftpd_t SELinux type can be entered via the "tftpd_exec_t" file type. The default entrypoint paths for the tftpd_t domain are the following:"
+
++/usr/sbin/in\.tftpd, /usr/sbin/atftpd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the tftpd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible.
++.PP
++The following process types are defined for tftpd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B tftpd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
@@ -85833,27 +92923,9 @@ index 0000000..92b31f8
+Default Defined Ports:
+udp 69
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tftpd:
-+
-+.EX
-+.B tftpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type tftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type tftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B tftpd_var_run_t
@@ -85865,6 +92937,22 @@ index 0000000..92b31f8
+ /var/lib/tftpboot(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the tftpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -85889,19 +92977,46 @@ index 0000000..92b31f8
+selinux(8), tftpd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/tgtd_selinux.8 b/man/man8/tgtd_selinux.8
new file mode 100644
-index 0000000..3817e99
+index 0000000..797d38e
--- /dev/null
+++ b/man/man8/tgtd_selinux.8
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,144 @@
+.TH "tgtd_selinux" "8" "tgtd" "dwalsh at redhat.com" "tgtd SELinux Policy documentation"
+.SH "NAME"
+tgtd_selinux \- Security Enhanced Linux Policy for the tgtd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the tgtd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the tgtd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The tgtd processes execute with the tgtd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tgtd_t
++
++
++.SH "ENTRYPOINTS"
++
++The tgtd_t SELinux type can be entered via the "tgtd_exec_t" file type. The default entrypoint paths for the tgtd_t domain are the following:"
++
++/usr/sbin/tgtd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tgtd policy is very flexible allowing users to setup their tgtd processes in as secure a method as possible.
++.PP
++The following process types are defined for tgtd:
++
++.EX
++.B tgtd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -85969,27 +93084,9 @@ index 0000000..3817e99
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tgtd policy is very flexible allowing users to setup their tgtd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tgtd:
-+
-+.EX
-+.B tgtd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type tgtd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type tgtd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B tgtd_tmpfs_t
@@ -86007,6 +93104,8 @@ index 0000000..3817e99
+ /var/run/tgtd.*
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -86028,33 +93127,46 @@ index 0000000..3817e99
+selinux(8), tgtd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/thumb_selinux.8 b/man/man8/thumb_selinux.8
new file mode 100644
-index 0000000..97f8a06
+index 0000000..e6ab0d7
--- /dev/null
+++ b/man/man8/thumb_selinux.8
-@@ -0,0 +1,163 @@
+@@ -0,0 +1,238 @@
+.TH "thumb_selinux" "8" "thumb" "dwalsh at redhat.com" "thumb SELinux Policy documentation"
+.SH "NAME"
+thumb_selinux \- Security Enhanced Linux Policy for the thumb processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the thumb processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the thumb processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The thumb processes execute with the thumb_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the thumb_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep thumb_t
++
++
++.SH "ENTRYPOINTS"
+
++The thumb_t SELinux type can be entered via the "thumb_exec_t" file type. The default entrypoint paths for the thumb_t domain are the following:"
++
++/usr/bin/whaaw-thumbnailer, /usr/lib/tumbler[^/]*/tumblerd, /usr/bin/raw-thumbnailer, /usr/bin/shotwell-video-thumbnailer, /usr/bin/evince-thumbnailer, /usr/bin/[^/]*thumbnailer, /usr/bin/ffmpegthumbnailer, /usr/bin/gsf-office-thumbnailer, /usr/bin/totem-video-thumbnailer, /usr/bin/gnome-thumbnail-font, /usr/bin/gnome-[^/]*-thumbnailer(.sh)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the thumb_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux thumb policy is very flexible allowing users to setup their thumb processes in as secure a method as possible.
++.PP
++The following process types are defined for thumb:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B thumb_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -86110,27 +93222,9 @@ index 0000000..97f8a06
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux thumb policy is very flexible allowing users to setup their thumb processes in as secure a method as possible.
-+.PP
-+The following process types are defined for thumb:
-+
-+.EX
-+.B thumb_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type thumb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type thumb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B gstreamer_home_t
@@ -86149,6 +93243,26 @@ index 0000000..97f8a06
+.br
+ /home/[^/]*/\.grl-metadata-store
+.br
++ /home/dwalsh/\.orc(/.*)?
++.br
++ /home/dwalsh/\.gstreamer-.*
++.br
++ /home/dwalsh/\.grl-bookmarks
++.br
++ /home/dwalsh/\.grl-bookmarks
++.br
++ /home/dwalsh/\.grl-metadata-store
++.br
++ /var/lib/xguest/home/xguest/\.orc(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.gstreamer-.*
++.br
++ /var/lib/xguest/home/xguest/\.grl-bookmarks
++.br
++ /var/lib/xguest/home/xguest/\.grl-bookmarks
++.br
++ /var/lib/xguest/home/xguest/\.grl-metadata-store
++.br
+
+.br
+.B thumb_home_t
@@ -86159,6 +93273,18 @@ index 0000000..97f8a06
+.br
+ /home/[^/]*/\.cache/thumbnails(/.*)?
+.br
++ /home/dwalsh/\.thumbnails(/.*)?
++.br
++ /home/dwalsh/missfont\.log.*
++.br
++ /home/dwalsh/\.cache/thumbnails(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.thumbnails(/.*)?
++.br
++ /var/lib/xguest/home/xguest/missfont\.log.*
++.br
++ /var/lib/xguest/home/xguest/\.cache/thumbnails(/.*)?
++.br
+
+.br
+.B thumb_tmp_t
@@ -86169,12 +93295,60 @@ index 0000000..97f8a06
+
+
+.br
++.B user_fonts_cache_t
++
++ /root/\.fontconfig(/.*)?
++.br
++ /root/\.fonts/auto(/.*)?
++.br
++ /root/\.fonts\.cache-.*
++.br
++ /home/[^/]*/\.fontconfig(/.*)?
++.br
++ /home/[^/]*/\.fonts/auto(/.*)?
++.br
++ /home/[^/]*/\.fonts\.cache-.*
++.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.br
+.B user_tmp_t
+
+ /var/run/user(/.*)?
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the thumb_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the thumb_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -86197,33 +93371,46 @@ index 0000000..97f8a06
+selinux(8), thumb(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/tmpreaper_selinux.8 b/man/man8/tmpreaper_selinux.8
new file mode 100644
-index 0000000..4a2c44b
+index 0000000..b615ec6
--- /dev/null
+++ b/man/man8/tmpreaper_selinux.8
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,138 @@
+.TH "tmpreaper_selinux" "8" "tmpreaper" "dwalsh at redhat.com" "tmpreaper SELinux Policy documentation"
+.SH "NAME"
+tmpreaper_selinux \- Security Enhanced Linux Policy for the tmpreaper processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the tmpreaper processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the tmpreaper processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The tmpreaper processes execute with the tmpreaper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tmpreaper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep tmpreaper_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The tmpreaper_t SELinux type can be entered via the "tmpreaper_exec_t" file type. The default entrypoint paths for the tmpreaper_t domain are the following:"
++
++/usr/sbin/tmpwatch, /usr/sbin/tmpreaper
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the tmpreaper_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tmpreaper policy is very flexible allowing users to setup their tmpreaper processes in as secure a method as possible.
++.PP
++The following process types are defined for tmpreaper:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B tmpreaper_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -86255,27 +93442,9 @@ index 0000000..4a2c44b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tmpreaper policy is very flexible allowing users to setup their tmpreaper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tmpreaper:
-+
-+.EX
-+.B tmpreaper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type tmpreaper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type tmpreaper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B amavis_spool_t
@@ -86309,6 +93478,22 @@ index 0000000..4a2c44b
+ /var/cache/PackageKit(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tmpreaper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the tmpreaper_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -86330,19 +93515,46 @@ index 0000000..4a2c44b
+selinux(8), tmpreaper(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/tomcat_selinux.8 b/man/man8/tomcat_selinux.8
new file mode 100644
-index 0000000..139155c
+index 0000000..e8eb1aa
--- /dev/null
+++ b/man/man8/tomcat_selinux.8
-@@ -0,0 +1,153 @@
+@@ -0,0 +1,164 @@
+.TH "tomcat_selinux" "8" "tomcat" "dwalsh at redhat.com" "tomcat SELinux Policy documentation"
+.SH "NAME"
+tomcat_selinux \- Security Enhanced Linux Policy for the tomcat processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the tomcat processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the tomcat processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The tomcat processes execute with the tomcat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tomcat_t
++
++
++.SH "ENTRYPOINTS"
++
++The tomcat_t SELinux type can be entered via the "tomcat_exec_t" file type. The default entrypoint paths for the tomcat_t domain are the following:"
++
++/usr/sbin/tomcat(6)?
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tomcat policy is very flexible allowing users to setup their tomcat processes in as secure a method as possible.
++.PP
++The following process types are defined for tomcat:
++
++.EX
++.B tomcat_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -86418,27 +93630,9 @@ index 0000000..139155c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tomcat policy is very flexible allowing users to setup their tomcat processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tomcat:
-+
-+.EX
-+.B tomcat_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type tomcat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type tomcat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B tomcat_cache_t
@@ -86468,6 +93662,8 @@ index 0000000..139155c
+ /var/run/tomcat6?\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -86489,43 +93685,56 @@ index 0000000..139155c
+selinux(8), tomcat(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/tor_selinux.8 b/man/man8/tor_selinux.8
new file mode 100644
-index 0000000..be9fcf4
+index 0000000..d6c27eb
--- /dev/null
+++ b/man/man8/tor_selinux.8
-@@ -0,0 +1,219 @@
+@@ -0,0 +1,230 @@
+.TH "tor_selinux" "8" "tor" "dwalsh at redhat.com" "tor SELinux Policy documentation"
+.SH "NAME"
+tor_selinux \- Security Enhanced Linux Policy for the tor processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the tor processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the tor processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. tor policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tor with the tightest access possible.
++The tor processes execute with the tor_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow tor daemon to bind tcp sockets to all unreserved ports, you must turn on the tor_bind_all_unreserved_ports boolean.
++.B ps -eZ | grep tor_t
+
-+.EX
-+.B setsebool -P tor_bind_all_unreserved_ports 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
++
++The tor_t SELinux type can be entered via the "tor_exec_t" file type. The default entrypoint paths for the tor_t domain are the following:"
+
++/usr/sbin/tor, /usr/bin/tor
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tor_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible.
++.PP
++The following process types are defined for tor:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B tor_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. tor policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tor with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the tor_t, you must turn on the kerberos_enabled boolean.
++If you want to allow tor daemon to bind tcp sockets to all unreserved ports, you must turn on the tor_bind_all_unreserved_ports boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P tor_bind_all_unreserved_ports 1
+.EE
+
+.SH FILE CONTEXTS
@@ -86644,27 +93853,9 @@ index 0000000..be9fcf4
+Default Defined Ports:
+tcp 9050
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tor:
-+
-+.EX
-+.B tor_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type tor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type tor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B tor_var_lib_t
@@ -86686,6 +93877,22 @@ index 0000000..be9fcf4
+ /var/run/tor(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tor_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the tor_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -86715,33 +93922,46 @@ index 0000000..be9fcf4
\ No newline at end of file
diff --git a/man/man8/traceroute_selinux.8 b/man/man8/traceroute_selinux.8
new file mode 100644
-index 0000000..cd79def
+index 0000000..40fae9f
--- /dev/null
+++ b/man/man8/traceroute_selinux.8
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,132 @@
+.TH "traceroute_selinux" "8" "traceroute" "dwalsh at redhat.com" "traceroute SELinux Policy documentation"
+.SH "NAME"
+traceroute_selinux \- Security Enhanced Linux Policy for the traceroute processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the traceroute processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the traceroute processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The traceroute processes execute with the traceroute_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the traceroute_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep traceroute_t
++
++
++.SH "ENTRYPOINTS"
+
++The traceroute_t SELinux type can be entered via the "traceroute_exec_t" file type. The default entrypoint paths for the traceroute_t domain are the following:"
++
++/bin/tracepath.*, /usr/sbin/mtr, /usr/bin/traceroute.*, /usr/bin/nmap, /usr/bin/lft, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/sbin/traceroute.*, /usr/bin/mtr
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the traceroute_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible.
++.PP
++The following process types are defined for traceroute:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B traceroute_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -86796,27 +94016,25 @@ index 0000000..cd79def
+Default Defined Ports:
+udp 64000-64010
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type traceroute_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible.
-+.PP
-+The following process types are defined for traceroute:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the traceroute_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B traceroute_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the traceroute_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type traceroute_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -86842,33 +94060,46 @@ index 0000000..cd79def
+selinux(8), traceroute(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/tuned_selinux.8 b/man/man8/tuned_selinux.8
new file mode 100644
-index 0000000..3d7fc19
+index 0000000..c7a9d44
--- /dev/null
+++ b/man/man8/tuned_selinux.8
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,178 @@
+.TH "tuned_selinux" "8" "tuned" "dwalsh at redhat.com" "tuned SELinux Policy documentation"
+.SH "NAME"
+tuned_selinux \- Security Enhanced Linux Policy for the tuned processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the tuned processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the tuned processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The tuned processes execute with the tuned_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep tuned_t
+
++
++.SH "ENTRYPOINTS"
++
++The tuned_t SELinux type can be entered via the "tuned_exec_t" file type. The default entrypoint paths for the tuned_t domain are the following:"
++
++/usr/sbin/tuned
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the tuned_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tuned policy is very flexible allowing users to setup their tuned processes in as secure a method as possible.
++.PP
++The following process types are defined for tuned:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B tuned_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -86944,27 +94175,9 @@ index 0000000..3d7fc19
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tuned policy is very flexible allowing users to setup their tuned processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tuned:
-+
-+.EX
-+.B tuned_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type tuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type tuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sysfs_t
@@ -86994,6 +94207,22 @@ index 0000000..3d7fc19
+ /var/run/tuned\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the tuned_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -87015,19 +94244,46 @@ index 0000000..3d7fc19
+selinux(8), tuned(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/tvtime_selinux.8 b/man/man8/tvtime_selinux.8
new file mode 100644
-index 0000000..e927877
+index 0000000..03585c4
--- /dev/null
+++ b/man/man8/tvtime_selinux.8
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,152 @@
+.TH "tvtime_selinux" "8" "tvtime" "dwalsh at redhat.com" "tvtime SELinux Policy documentation"
+.SH "NAME"
+tvtime_selinux \- Security Enhanced Linux Policy for the tvtime processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the tvtime processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the tvtime processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The tvtime processes execute with the tvtime_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep tvtime_t
++
++
++.SH "ENTRYPOINTS"
++
++The tvtime_t SELinux type can be entered via the "tvtime_exec_t" file type. The default entrypoint paths for the tvtime_t domain are the following:"
++
++/usr/bin/tvtime
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux tvtime policy is very flexible allowing users to setup their tvtime processes in as secure a method as possible.
++.PP
++The following process types are defined for tvtime:
++
++.EX
++.B tvtime_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -87079,27 +94335,9 @@ index 0000000..e927877
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux tvtime policy is very flexible allowing users to setup their tvtime processes in as secure a method as possible.
-+.PP
-+The following process types are defined for tvtime:
-+
-+.EX
-+.B tvtime_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type tvtime_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type tvtime_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B tvtime_home_t
@@ -87128,6 +94366,20 @@ index 0000000..e927877
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -87150,33 +94402,46 @@ index 0000000..e927877
+selinux(8), tvtime(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/udev_selinux.8 b/man/man8/udev_selinux.8
new file mode 100644
-index 0000000..ff99256
+index 0000000..dae2181
--- /dev/null
+++ b/man/man8/udev_selinux.8
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,334 @@
+.TH "udev_selinux" "8" "udev" "dwalsh at redhat.com" "udev SELinux Policy documentation"
+.SH "NAME"
+udev_selinux \- Security Enhanced Linux Policy for the udev processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the udev processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the udev processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The udev processes execute with the udev_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the udev_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep udev_t
++
++
++.SH "ENTRYPOINTS"
+
++The udev_t SELinux type can be entered via the "udev_exec_t,udev_helper_exec_t" file types. The default entrypoint paths for the udev_t domain are the following:"
++
++/lib/udev/udevd, /usr/bin/udevinfo, /sbin/udevd, /sbin/udev, /usr/sbin/wait_for_sysfs, /sbin/udevsend, /usr/sbin/udevadm, /usr/bin/udevadm, /usr/sbin/start_udev, /usr/sbin/udev, /usr/sbin/udevsend, /sbin/start_udev, /sbin/udevstart, /bin/udevadm, /sbin/wait_for_sysfs, /lib/udev/udev-acl, /sbin/udevadm, /usr/sbin/udevd, /usr/lib/systemd/systemd-udevd, /usr/sbin/udevstart, /usr/lib/udev/udev-acl, /usr/lib/udev/udevd, /etc/udev/scripts/.+, /etc/hotplug\.d/default/udev.*, /etc/dev\.d/.+
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the udev_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux udev policy is very flexible allowing users to setup their udev processes in as secure a method as possible.
++.PP
++The following process types are defined for udev:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B udev_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -87248,27 +94513,9 @@ index 0000000..ff99256
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux udev policy is very flexible allowing users to setup their udev processes in as secure a method as possible.
-+.PP
-+The following process types are defined for udev:
-+
-+.EX
-+.B udev_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type udev_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type udev_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -87458,6 +94705,22 @@ index 0000000..ff99256
+ /var/log/xen-hotplug\.log.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the udev_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the udev_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -87479,19 +94742,46 @@ index 0000000..ff99256
+selinux(8), udev(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ulogd_selinux.8 b/man/man8/ulogd_selinux.8
new file mode 100644
-index 0000000..120df48
+index 0000000..dd4e7bb
--- /dev/null
+++ b/man/man8/ulogd_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,126 @@
+.TH "ulogd_selinux" "8" "ulogd" "dwalsh at redhat.com" "ulogd SELinux Policy documentation"
+.SH "NAME"
+ulogd_selinux \- Security Enhanced Linux Policy for the ulogd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ulogd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ulogd processes via flexible mandatory access control.
++
++The ulogd processes execute with the ulogd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ulogd_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The ulogd_t SELinux type can be entered via the "ulogd_exec_t" file type. The default entrypoint paths for the ulogd_t domain are the following:"
++
++/usr/sbin/ulogd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ulogd policy is very flexible allowing users to setup their ulogd processes in as secure a method as possible.
++.PP
++The following process types are defined for ulogd:
++
++.EX
++.B ulogd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -87551,27 +94841,9 @@ index 0000000..120df48
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ulogd policy is very flexible allowing users to setup their ulogd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ulogd:
-+
-+.EX
-+.B ulogd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ulogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ulogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ulogd_var_log_t
@@ -87579,6 +94851,8 @@ index 0000000..120df48
+ /var/log/ulogd(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -87600,19 +94874,46 @@ index 0000000..120df48
+selinux(8), ulogd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/uml_selinux.8 b/man/man8/uml_selinux.8
new file mode 100644
-index 0000000..6cbcd1b
+index 0000000..efb8e95
--- /dev/null
+++ b/man/man8/uml_selinux.8
-@@ -0,0 +1,140 @@
+@@ -0,0 +1,155 @@
+.TH "uml_selinux" "8" "uml" "dwalsh at redhat.com" "uml SELinux Policy documentation"
+.SH "NAME"
+uml_selinux \- Security Enhanced Linux Policy for the uml processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the uml processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the uml processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The uml processes execute with the uml_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep uml_t
++
++
++.SH "ENTRYPOINTS"
++
++The uml_t SELinux type can be entered via the "uml_exec_t" file type. The default entrypoint paths for the uml_t domain are the following:"
++
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uml policy is very flexible allowing users to setup their uml processes in as secure a method as possible.
++.PP
++The following process types are defined for uml:
++
++.EX
++.B uml_switch_t, uml_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -87688,33 +94989,19 @@ index 0000000..6cbcd1b
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux uml policy is very flexible allowing users to setup their uml processes in as secure a method as possible.
-+.PP
-+The following process types are defined for uml:
-+
-+.EX
-+.B uml_switch_t, uml_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type uml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type uml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B uml_rw_t
+
+ /home/[^/]*/\.uml(/.*)?
+.br
++ /home/dwalsh/\.uml(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.uml(/.*)?
++.br
+
+.br
+.B uml_tmp_t
@@ -87724,6 +95011,8 @@ index 0000000..6cbcd1b
+.B uml_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -87747,19 +95036,46 @@ index 0000000..6cbcd1b
\ No newline at end of file
diff --git a/man/man8/uml_switch_selinux.8 b/man/man8/uml_switch_selinux.8
new file mode 100644
-index 0000000..d69f677
+index 0000000..6c1bc5e
--- /dev/null
+++ b/man/man8/uml_switch_selinux.8
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,103 @@
+.TH "uml_switch_selinux" "8" "uml_switch" "dwalsh at redhat.com" "uml_switch SELinux Policy documentation"
+.SH "NAME"
+uml_switch_selinux \- Security Enhanced Linux Policy for the uml_switch processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the uml_switch processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the uml_switch processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The uml_switch processes execute with the uml_switch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep uml_switch_t
++
++
++.SH "ENTRYPOINTS"
++
++The uml_switch_t SELinux type can be entered via the "uml_switch_exec_t" file type. The default entrypoint paths for the uml_switch_t domain are the following:"
++
++/usr/bin/uml_switch
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uml_switch policy is very flexible allowing users to setup their uml_switch processes in as secure a method as possible.
++.PP
++The following process types are defined for uml_switch:
++
++.EX
++.B uml_switch_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -87795,27 +95111,9 @@ index 0000000..d69f677
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux uml_switch policy is very flexible allowing users to setup their uml_switch processes in as secure a method as possible.
-+.PP
-+The following process types are defined for uml_switch:
-+
-+.EX
-+.B uml_switch_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type uml_switch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type uml_switch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B uml_switch_var_run_t
@@ -87823,6 +95121,8 @@ index 0000000..d69f677
+ /var/run/uml-utilities(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -87842,11 +95142,11 @@ index 0000000..d69f677
+
+.SH "SEE ALSO"
+selinux(8), uml_switch(8), semanage(8), restorecon(8), chcon(1)
-+, uml_selinux(8)
++, uml_selinux(8), uml_selinux(8)
\ No newline at end of file
diff --git a/man/man8/unconfined_selinux.8 b/man/man8/unconfined_selinux.8
new file mode 100644
-index 0000000..419d7ad
+index 0000000..105d368
--- /dev/null
+++ b/man/man8/unconfined_selinux.8
@@ -0,0 +1,121 @@
@@ -87940,7 +95240,7 @@ index 0000000..419d7ad
+
+.SH "MANAGED FILES"
+
-+The SELinux user type unconfined_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type unconfined_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B file_type
@@ -87974,19 +95274,46 @@ index 0000000..419d7ad
\ No newline at end of file
diff --git a/man/man8/update_modules_selinux.8 b/man/man8/update_modules_selinux.8
new file mode 100644
-index 0000000..4603438
+index 0000000..a14a513
--- /dev/null
+++ b/man/man8/update_modules_selinux.8
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,124 @@
+.TH "update_modules_selinux" "8" "update_modules" "dwalsh at redhat.com" "update_modules SELinux Policy documentation"
+.SH "NAME"
+update_modules_selinux \- Security Enhanced Linux Policy for the update_modules processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the update_modules processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the update_modules processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The update_modules processes execute with the update_modules_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep update_modules_t
++
++
++.SH "ENTRYPOINTS"
++
++The update_modules_t SELinux type can be entered via the "update_modules_exec_t" file type. The default entrypoint paths for the update_modules_t domain are the following:"
++
++/usr/sbin/modules-update, /sbin/modules-update, /sbin/generate-modprobe\.conf, /sbin/update-modules, /usr/sbin/generate-modprobe\.conf, /usr/sbin/update-modules
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux update_modules policy is very flexible allowing users to setup their update_modules processes in as secure a method as possible.
++.PP
++The following process types are defined for update_modules:
++
++.EX
++.B update_modules_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -88026,27 +95353,9 @@ index 0000000..4603438
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux update_modules policy is very flexible allowing users to setup their update_modules processes in as secure a method as possible.
-+.PP
-+The following process types are defined for update_modules:
-+
-+.EX
-+.B update_modules_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type update_modules_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type update_modules_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B modules_conf_t
@@ -88072,6 +95381,8 @@ index 0000000..4603438
+.B update_modules_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -88093,33 +95404,46 @@ index 0000000..4603438
+selinux(8), update_modules(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/updfstab_selinux.8 b/man/man8/updfstab_selinux.8
new file mode 100644
-index 0000000..25a41bc
+index 0000000..1d57844
--- /dev/null
+++ b/man/man8/updfstab_selinux.8
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,166 @@
+.TH "updfstab_selinux" "8" "updfstab" "dwalsh at redhat.com" "updfstab SELinux Policy documentation"
+.SH "NAME"
+updfstab_selinux \- Security Enhanced Linux Policy for the updfstab processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the updfstab processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the updfstab processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The updfstab processes execute with the updfstab_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updfstab_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep updfstab_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The updfstab_t SELinux type can be entered via the "updfstab_exec_t" file type. The default entrypoint paths for the updfstab_t domain are the following:"
++
++/usr/sbin/updfstab, /usr/sbin/fstab-sync
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the updfstab_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux updfstab policy is very flexible allowing users to setup their updfstab processes in as secure a method as possible.
++.PP
++The following process types are defined for updfstab:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B updfstab_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -88151,27 +95475,9 @@ index 0000000..25a41bc
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux updfstab policy is very flexible allowing users to setup their updfstab processes in as secure a method as possible.
-+.PP
-+The following process types are defined for updfstab:
-+
-+.EX
-+.B updfstab_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type updfstab_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type updfstab_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_t
@@ -88233,6 +95539,22 @@ index 0000000..25a41bc
+ /selinux
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updfstab_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the updfstab_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -88254,33 +95576,46 @@ index 0000000..25a41bc
+selinux(8), updfstab(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/updpwd_selinux.8 b/man/man8/updpwd_selinux.8
new file mode 100644
-index 0000000..d56a2c4
+index 0000000..957e845
--- /dev/null
+++ b/man/man8/updpwd_selinux.8
-@@ -0,0 +1,157 @@
+@@ -0,0 +1,168 @@
+.TH "updpwd_selinux" "8" "updpwd" "dwalsh at redhat.com" "updpwd SELinux Policy documentation"
+.SH "NAME"
+updpwd_selinux \- Security Enhanced Linux Policy for the updpwd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the updpwd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the updpwd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The updpwd processes execute with the updpwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep updpwd_t
++
++
++.SH "ENTRYPOINTS"
+
++The updpwd_t SELinux type can be entered via the "updpwd_exec_t" file type. The default entrypoint paths for the updpwd_t domain are the following:"
++
++/sbin/unix_update, /usr/sbin/unix_update
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the updpwd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux updpwd policy is very flexible allowing users to setup their updpwd processes in as secure a method as possible.
++.PP
++The following process types are defined for updpwd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B updpwd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -88312,27 +95647,9 @@ index 0000000..d56a2c4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux updpwd policy is very flexible allowing users to setup their updpwd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for updpwd:
-+
-+.EX
-+.B updpwd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type updpwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type updpwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B etc_t
@@ -88396,6 +95713,22 @@ index 0000000..d56a2c4
+ /etc/security/opasswd\.old
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the updpwd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -88417,19 +95750,46 @@ index 0000000..d56a2c4
+selinux(8), updpwd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/usbmodules_selinux.8 b/man/man8/usbmodules_selinux.8
new file mode 100644
-index 0000000..d1f54d5
+index 0000000..4134cc4
--- /dev/null
+++ b/man/man8/usbmodules_selinux.8
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,96 @@
+.TH "usbmodules_selinux" "8" "usbmodules" "dwalsh at redhat.com" "usbmodules SELinux Policy documentation"
+.SH "NAME"
+usbmodules_selinux \- Security Enhanced Linux Policy for the usbmodules processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the usbmodules processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the usbmodules processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The usbmodules processes execute with the usbmodules_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep usbmodules_t
++
++
++.SH "ENTRYPOINTS"
++
++The usbmodules_t SELinux type can be entered via the "usbmodules_exec_t" file type. The default entrypoint paths for the usbmodules_t domain are the following:"
++
++/usr/sbin/usbmodules, /sbin/usbmodules
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux usbmodules policy is very flexible allowing users to setup their usbmodules processes in as secure a method as possible.
++.PP
++The following process types are defined for usbmodules:
++
++.EX
++.B usbmodules_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -88461,32 +95821,16 @@ index 0000000..d1f54d5
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux usbmodules policy is very flexible allowing users to setup their usbmodules processes in as secure a method as possible.
-+.PP
-+The following process types are defined for usbmodules:
-+
-+.EX
-+.B usbmodules_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type usbmodules_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type usbmodules_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B usbfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -88508,33 +95852,46 @@ index 0000000..d1f54d5
+selinux(8), usbmodules(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/usbmuxd_selinux.8 b/man/man8/usbmuxd_selinux.8
new file mode 100644
-index 0000000..d031d76
+index 0000000..b1c1d8b
--- /dev/null
+++ b/man/man8/usbmuxd_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,116 @@
+.TH "usbmuxd_selinux" "8" "usbmuxd" "dwalsh at redhat.com" "usbmuxd SELinux Policy documentation"
+.SH "NAME"
+usbmuxd_selinux \- Security Enhanced Linux Policy for the usbmuxd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the usbmuxd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the usbmuxd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The usbmuxd processes execute with the usbmuxd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usbmuxd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep usbmuxd_t
+
++
++.SH "ENTRYPOINTS"
++
++The usbmuxd_t SELinux type can be entered via the "usbmuxd_exec_t" file type. The default entrypoint paths for the usbmuxd_t domain are the following:"
++
++/usr/sbin/usbmuxd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the usbmuxd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux usbmuxd policy is very flexible allowing users to setup their usbmuxd processes in as secure a method as possible.
++.PP
++The following process types are defined for usbmuxd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B usbmuxd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -88570,27 +95927,9 @@ index 0000000..d031d76
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux usbmuxd policy is very flexible allowing users to setup their usbmuxd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for usbmuxd:
-+
-+.EX
-+.B usbmuxd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type usbmuxd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type usbmuxd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B usbmuxd_var_run_t
@@ -88598,6 +95937,22 @@ index 0000000..d031d76
+ /var/run/usbmuxd.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usbmuxd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the usbmuxd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -88619,10 +95974,10 @@ index 0000000..d031d76
+selinux(8), usbmuxd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/user_selinux.8 b/man/man8/user_selinux.8
new file mode 100644
-index 0000000..456bdfc
+index 0000000..117ac1a
--- /dev/null
+++ b/man/man8/user_selinux.8
-@@ -0,0 +1,546 @@
+@@ -0,0 +1,586 @@
+.TH "user_selinux" "8" "user" "mgrepl at redhat.com" "user SELinux Policy documentation"
+.SH "NAME"
+user_u \- \fBGeneric unprivileged user\fP - Security Enhanced Linux Policy
@@ -88741,10 +96096,10 @@ index 0000000..456bdfc
+.EE
+
+.PP
-+If you want to control users use of ping and traceroute, you must turn on the selinuxuser_ping boolean.
++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean.
+
+.EX
-+.B setsebool -P selinuxuser_ping 1
++.B setsebool -P selinuxuser_rw_noexattrfile 1
+.EE
+
+.PP
@@ -88755,6 +96110,13 @@ index 0000000..456bdfc
+.EE
+
+.PP
++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean.
++
++.EX
++.B setsebool -P selinuxuser_direct_dri_enabled 1
++.EE
++
++.PP
+If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
+
+.EX
@@ -88762,24 +96124,24 @@ index 0000000..456bdfc
+.EE
+
+.PP
-+If you want to allow w to display everyone, you must turn on the user_ttyfile_stat boolean.
++If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean.
+
+.EX
-+.B setsebool -P user_ttyfile_stat 1
++.B setsebool -P selinuxuser_user_share_music 1
+.EE
+
+.PP
-+If you want to allow user music sharing, you must turn on the user_share_music boolean.
++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean.
+
+.EX
-+.B setsebool -P user_share_music 1
++.B setsebool -P selinuxuser_postgresql_connect_enabled 1
+.EE
+
+.PP
-+If you want to allow regular users direct dri device access, you must turn on the user_direct_dri boolean.
++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean.
+
+.EX
-+.B setsebool -P user_direct_dri 1
++.B setsebool -P selinuxuser_tcp_server 1
+.EE
+
+.PP
@@ -88804,13 +96166,6 @@ index 0000000..456bdfc
+.EE
+
+.PP
-+If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the user_tcp_server boolean.
-+
-+.EX
-+.B setsebool -P user_tcp_server 1
-+.EE
-+
-+.PP
+If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean.
+
+.EX
@@ -88818,24 +96173,10 @@ index 0000000..456bdfc
+.EE
+
+.PP
-+If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the user_rw_noexattrfile boolean.
-+
-+.EX
-+.B setsebool -P user_rw_noexattrfile 1
-+.EE
-+
-+.PP
-+If you want to allow regular users direct mouse access, you must turn on the user_direct_mouse boolean.
++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean.
+
+.EX
-+.B setsebool -P user_direct_mouse 1
-+.EE
-+
-+.PP
-+If you want to allow users to connect to PostgreSQL, you must turn on the user_postgresql_connect boolean.
-+
-+.EX
-+.B setsebool -P user_postgresql_connect 1
++.B setsebool -P selinuxuser_ping 1
+.EE
+
+.PP
@@ -88853,13 +96194,6 @@ index 0000000..456bdfc
+.EE
+
+.PP
-+If you want to allow user processes to change their priority, you must turn on the user_setrlimit boolean.
-+
-+.EX
-+.B setsebool -P user_setrlimit 1
-+.EE
-+
-+.PP
+If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean.
+
+.EX
@@ -88867,13 +96201,6 @@ index 0000000..456bdfc
+.EE
+
+.PP
-+If you want to allow users to connect to the local mysql server, you must turn on the user_mysql_connect boolean.
-+
-+.EX
-+.B setsebool -P user_mysql_connect 1
-+.EE
-+
-+.PP
+If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean.
+
+.EX
@@ -88881,10 +96208,10 @@ index 0000000..456bdfc
+.EE
+
+.PP
-+If you want to allow users to read system messages, you must turn on the user_dmesg boolean.
++If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean.
+
+.EX
-+.B setsebool -P user_dmesg 1
++.B setsebool -P selinuxuser_mysql_connect_enabled 1
+.EE
+
+.SH HOME_EXEC
@@ -88916,7 +96243,7 @@ index 0000000..456bdfc
+
+.SH "MANAGED FILES"
+
-+The SELinux user type user_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type user_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -88961,24 +96288,40 @@ index 0000000..456bdfc
+
+ /home/[^/]*/\.gnupg/log-socket
+.br
++ /home/dwalsh/\.gnupg/log-socket
++.br
++ /var/lib/xguest/home/xguest/\.gnupg/log-socket
++.br
+
+.br
+.B httpd_user_content_t
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
++.br
+
+.br
+.B httpd_user_htaccess_t
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
+
+.br
+.B httpd_user_ra_content_t
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
+
+.br
+.B httpd_user_rw_content_t
@@ -88989,6 +96332,10 @@ index 0000000..456bdfc
+
+ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
+
+.br
+.B iceauth_home_t
@@ -89001,6 +96348,14 @@ index 0000000..456bdfc
+.br
+ /home/[^/]*/\.ICEauthority.*
+.br
++ /home/dwalsh/\.DCOP.*
++.br
++ /home/dwalsh/\.ICEauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.DCOP.*
++.br
++ /var/lib/xguest/home/xguest/\.ICEauthority.*
++.br
+
+.br
+.B mail_spool_t
@@ -89049,6 +96404,14 @@ index 0000000..456bdfc
+.br
+ /home/[^/]*/\.screenrc
+.br
++ /home/dwalsh/\.screen(/.*)?
++.br
++ /home/dwalsh/\.screenrc
++.br
++ /var/lib/xguest/home/xguest/\.screen(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.screenrc
++.br
+
+.br
+.B security_t
@@ -89075,6 +96438,18 @@ index 0000000..456bdfc
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_fonts_t
@@ -89085,6 +96460,10 @@ index 0000000..456bdfc
+.br
+ /home/[^/]*/\.fonts(/.*)?
+.br
++ /home/dwalsh/\.fonts(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts(/.*)?
++.br
+
+.br
+.B user_home_type
@@ -89131,6 +96510,22 @@ index 0000000..456bdfc
+.br
+ /home/[^/]*/\.Xauthority.*
+.br
++ /home/dwalsh/\.xauth.*
++.br
++ /home/dwalsh/\.Xauth.*
++.br
++ /home/dwalsh/\.serverauth.*
++.br
++ /home/dwalsh/\.Xauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.serverauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauthority.*
++.br
+
+.br
+.B xdm_tmp_t
@@ -89172,33 +96567,46 @@ index 0000000..456bdfc
\ No newline at end of file
diff --git a/man/man8/useradd_selinux.8 b/man/man8/useradd_selinux.8
new file mode 100644
-index 0000000..87d7066
+index 0000000..4bf88e3
--- /dev/null
+++ b/man/man8/useradd_selinux.8
-@@ -0,0 +1,298 @@
+@@ -0,0 +1,309 @@
+.TH "useradd_selinux" "8" "useradd" "dwalsh at redhat.com" "useradd SELinux Policy documentation"
+.SH "NAME"
+useradd_selinux \- Security Enhanced Linux Policy for the useradd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the useradd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the useradd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The useradd processes execute with the useradd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the useradd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep useradd_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The useradd_t SELinux type can be entered via the "user_home_t,useradd_exec_t" file types. The default entrypoint paths for the useradd_t domain are the following:"
++
++/usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /usr/sbin/newusers
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the useradd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux useradd policy is very flexible allowing users to setup their useradd processes in as secure a method as possible.
++.PP
++The following process types are defined for useradd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B useradd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -89230,27 +96638,9 @@ index 0000000..87d7066
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux useradd policy is very flexible allowing users to setup their useradd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for useradd:
-+
-+.EX
-+.B useradd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type useradd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type useradd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B default_context_t
@@ -89454,6 +96844,22 @@ index 0000000..87d7066
+ all user home files
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the useradd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the useradd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -89477,33 +96883,46 @@ index 0000000..87d7066
\ No newline at end of file
diff --git a/man/man8/usernetctl_selinux.8 b/man/man8/usernetctl_selinux.8
new file mode 100644
-index 0000000..271e8a0
+index 0000000..8a9b778
--- /dev/null
+++ b/man/man8/usernetctl_selinux.8
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,103 @@
+.TH "usernetctl_selinux" "8" "usernetctl" "dwalsh at redhat.com" "usernetctl SELinux Policy documentation"
+.SH "NAME"
+usernetctl_selinux \- Security Enhanced Linux Policy for the usernetctl processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the usernetctl processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the usernetctl processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The usernetctl processes execute with the usernetctl_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usernetctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep usernetctl_t
+
++
++.SH "ENTRYPOINTS"
++
++The usernetctl_t SELinux type can be entered via the "usernetctl_exec_t" file type. The default entrypoint paths for the usernetctl_t domain are the following:"
++
++/usr/sbin/usernetctl
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the usernetctl_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux usernetctl policy is very flexible allowing users to setup their usernetctl processes in as secure a method as possible.
++.PP
++The following process types are defined for usernetctl:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B usernetctl_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -89531,27 +96950,25 @@ index 0000000..271e8a0
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type usernetctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux usernetctl policy is very flexible allowing users to setup their usernetctl processes in as secure a method as possible.
-+.PP
-+The following process types are defined for usernetctl:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usernetctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B usernetctl_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the usernetctl_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type usernetctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -89576,33 +96993,46 @@ index 0000000..271e8a0
\ No newline at end of file
diff --git a/man/man8/utempter_selinux.8 b/man/man8/utempter_selinux.8
new file mode 100644
-index 0000000..b1150b0
+index 0000000..5090b6c
--- /dev/null
+++ b/man/man8/utempter_selinux.8
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,132 @@
+.TH "utempter_selinux" "8" "utempter" "dwalsh at redhat.com" "utempter SELinux Policy documentation"
+.SH "NAME"
+utempter_selinux \- Security Enhanced Linux Policy for the utempter processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the utempter processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the utempter processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The utempter processes execute with the utempter_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the utempter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep utempter_t
+
++
++.SH "ENTRYPOINTS"
++
++The utempter_t SELinux type can be entered via the "utempter_exec_t" file type. The default entrypoint paths for the utempter_t domain are the following:"
++
++/usr/sbin/utempter
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the utempter_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux utempter policy is very flexible allowing users to setup their utempter processes in as secure a method as possible.
++.PP
++The following process types are defined for utempter:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B utempter_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -89630,27 +97060,9 @@ index 0000000..b1150b0
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux utempter policy is very flexible allowing users to setup their utempter processes in as secure a method as possible.
-+.PP
-+The following process types are defined for utempter:
-+
-+.EX
-+.B utempter_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type utempter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type utempter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B initrc_var_run_t
@@ -89671,6 +97083,10 @@ index 0000000..b1150b0
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
+
+.br
+.B wtmp_t
@@ -89678,6 +97094,22 @@ index 0000000..b1150b0
+ /var/log/wtmp.*
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the utempter_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the utempter_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -89699,33 +97131,46 @@ index 0000000..b1150b0
+selinux(8), utempter(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/uucpd_selinux.8 b/man/man8/uucpd_selinux.8
new file mode 100644
-index 0000000..d51eadc
+index 0000000..cdccb8f
--- /dev/null
+++ b/man/man8/uucpd_selinux.8
-@@ -0,0 +1,209 @@
+@@ -0,0 +1,220 @@
+.TH "uucpd_selinux" "8" "uucpd" "dwalsh at redhat.com" "uucpd SELinux Policy documentation"
+.SH "NAME"
+uucpd_selinux \- Security Enhanced Linux Policy for the uucpd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the uucpd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the uucpd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The uucpd processes execute with the uucpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uucpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep uucpd_t
+
++
++.SH "ENTRYPOINTS"
++
++The uucpd_t SELinux type can be entered via the "uucpd_exec_t" file type. The default entrypoint paths for the uucpd_t domain are the following:"
++
++/usr/sbin/uucico
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the uucpd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible.
++.PP
++The following process types are defined for uucpd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B uucpd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -89836,27 +97281,9 @@ index 0000000..d51eadc
+Default Defined Ports:
+tcp 540
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for uucpd:
-+
-+.EX
-+.B uucpd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type uucpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type uucpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B uucpd_lock_t
@@ -89890,6 +97317,22 @@ index 0000000..d51eadc
+.B uucpd_var_run_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uucpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the uucpd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -89914,19 +97357,46 @@ index 0000000..d51eadc
+selinux(8), uucpd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/uuidd_selinux.8 b/man/man8/uuidd_selinux.8
new file mode 100644
-index 0000000..8706629
+index 0000000..fb3f865
--- /dev/null
+++ b/man/man8/uuidd_selinux.8
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,124 @@
+.TH "uuidd_selinux" "8" "uuidd" "dwalsh at redhat.com" "uuidd SELinux Policy documentation"
+.SH "NAME"
+uuidd_selinux \- Security Enhanced Linux Policy for the uuidd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the uuidd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the uuidd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The uuidd processes execute with the uuidd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep uuidd_t
++
++
++.SH "ENTRYPOINTS"
++
++The uuidd_t SELinux type can be entered via the "uuidd_exec_t" file type. The default entrypoint paths for the uuidd_t domain are the following:"
++
++/usr/sbin/uuidd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uuidd policy is very flexible allowing users to setup their uuidd processes in as secure a method as possible.
++.PP
++The following process types are defined for uuidd:
++
++.EX
++.B uuidd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -89978,27 +97448,9 @@ index 0000000..8706629
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux uuidd policy is very flexible allowing users to setup their uuidd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for uuidd:
-+
-+.EX
-+.B uuidd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type uuidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type uuidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B uuidd_var_lib_t
@@ -90012,6 +97464,8 @@ index 0000000..8706629
+ /var/run/uuidd(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -90033,33 +97487,46 @@ index 0000000..8706629
+selinux(8), uuidd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/uux_selinux.8 b/man/man8/uux_selinux.8
new file mode 100644
-index 0000000..76d3bb6
+index 0000000..4ee339d
--- /dev/null
+++ b/man/man8/uux_selinux.8
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,114 @@
+.TH "uux_selinux" "8" "uux" "dwalsh at redhat.com" "uux SELinux Policy documentation"
+.SH "NAME"
+uux_selinux \- Security Enhanced Linux Policy for the uux processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the uux processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the uux processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The uux processes execute with the uux_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uux_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep uux_t
+
++
++.SH "ENTRYPOINTS"
++
++The uux_t SELinux type can be entered via the "uux_exec_t" file type. The default entrypoint paths for the uux_t domain are the following:"
++
++/usr/bin/uux
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the uux_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux uux policy is very flexible allowing users to setup their uux processes in as secure a method as possible.
++.PP
++The following process types are defined for uux:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B uux_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -90087,27 +97554,9 @@ index 0000000..76d3bb6
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux uux policy is very flexible allowing users to setup their uux processes in as secure a method as possible.
-+.PP
-+The following process types are defined for uux:
-+
-+.EX
-+.B uux_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type uux_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type uux_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -90121,6 +97570,22 @@ index 0000000..76d3bb6
+ /var/spool/uucppublic(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uux_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the uux_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -90142,43 +97607,56 @@ index 0000000..76d3bb6
+selinux(8), uux(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/varnishd_selinux.8 b/man/man8/varnishd_selinux.8
new file mode 100644
-index 0000000..7fe4d73
+index 0000000..3934249
--- /dev/null
+++ b/man/man8/varnishd_selinux.8
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,199 @@
+.TH "varnishd_selinux" "8" "varnishd" "dwalsh at redhat.com" "varnishd SELinux Policy documentation"
+.SH "NAME"
+varnishd_selinux \- Security Enhanced Linux Policy for the varnishd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the varnishd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the varnishd processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. varnishd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run varnishd with the tightest access possible.
++The varnishd processes execute with the varnishd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow varnishd to connect to all ports, not just HTTP, you must turn on the varnishd_connect_any boolean.
++.B ps -eZ | grep varnishd_t
+
-+.EX
-+.B setsebool -P varnishd_connect_any 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The varnishd_t SELinux type can be entered via the "varnishd_exec_t" file type. The default entrypoint paths for the varnishd_t domain are the following:"
++
++/usr/sbin/varnishd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the varnishd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible.
++.PP
++The following process types are defined for varnishd:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B varnishd_t, varnishlog_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. varnishd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run varnishd with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the varnishd_t, you must turn on the kerberos_enabled boolean.
++If you want to allow varnishd to connect to all ports, not just HTTP, you must turn on the varnishd_connect_any boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P varnishd_connect_any 1
+.EE
+
+.SH FILE CONTEXTS
@@ -90270,27 +97748,9 @@ index 0000000..7fe4d73
+Default Defined Ports:
+tcp 6081-6082
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for varnishd:
-+
-+.EX
-+.B varnishd_t, varnishlog_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type varnishd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type varnishd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B varnishd_tmp_t
@@ -90308,6 +97768,22 @@ index 0000000..7fe4d73
+ /var/run/varnish\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the varnishd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the varnishd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -90337,19 +97813,46 @@ index 0000000..7fe4d73
\ No newline at end of file
diff --git a/man/man8/varnishlog_selinux.8 b/man/man8/varnishlog_selinux.8
new file mode 100644
-index 0000000..1a54002
+index 0000000..cc040f9
--- /dev/null
+++ b/man/man8/varnishlog_selinux.8
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,138 @@
+.TH "varnishlog_selinux" "8" "varnishlog" "dwalsh at redhat.com" "varnishlog SELinux Policy documentation"
+.SH "NAME"
+varnishlog_selinux \- Security Enhanced Linux Policy for the varnishlog processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the varnishlog processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the varnishlog processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The varnishlog processes execute with the varnishlog_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep varnishlog_t
++
++
++.SH "ENTRYPOINTS"
++
++The varnishlog_t SELinux type can be entered via the "varnishlog_exec_t" file type. The default entrypoint paths for the varnishlog_t domain are the following:"
++
++/usr/bin/varnisncsa, /usr/bin/varnishlog
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux varnishlog policy is very flexible allowing users to setup their varnishlog processes in as secure a method as possible.
++.PP
++The following process types are defined for varnishlog:
++
++.EX
++.B varnishlog_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -90413,27 +97916,9 @@ index 0000000..1a54002
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux varnishlog policy is very flexible allowing users to setup their varnishlog processes in as secure a method as possible.
-+.PP
-+The following process types are defined for varnishlog:
-+
-+.EX
-+.B varnishlog_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type varnishlog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type varnishlog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B varnishlog_log_t
@@ -90449,6 +97934,8 @@ index 0000000..1a54002
+ /var/run/varnishncsa\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -90470,17 +97957,46 @@ index 0000000..1a54002
+selinux(8), varnishlog(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/vbetool_selinux.8 b/man/man8/vbetool_selinux.8
new file mode 100644
-index 0000000..3d8e16e
+index 0000000..af1a5d0
--- /dev/null
+++ b/man/man8/vbetool_selinux.8
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,115 @@
+.TH "vbetool_selinux" "8" "vbetool" "dwalsh at redhat.com" "vbetool SELinux Policy documentation"
+.SH "NAME"
+vbetool_selinux \- Security Enhanced Linux Policy for the vbetool processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the vbetool processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the vbetool processes via flexible mandatory access control.
++
++The vbetool processes execute with the vbetool_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vbetool_t
++
++
++.SH "ENTRYPOINTS"
++
++The vbetool_t SELinux type can be entered via the "vbetool_exec_t" file type. The default entrypoint paths for the vbetool_t domain are the following:"
++
++/usr/sbin/vbetool
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vbetool policy is very flexible allowing users to setup their vbetool processes in as secure a method as possible.
++.PP
++The following process types are defined for vbetool:
++
++.EX
++.B vbetool_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. vbetool policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vbetool with the tightest access possible.
@@ -90493,8 +98009,6 @@ index 0000000..3d8e16e
+.B setsebool -P vbetool_mmap_zero_ignore 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -90521,27 +98035,9 @@ index 0000000..3d8e16e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vbetool policy is very flexible allowing users to setup their vbetool processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vbetool:
-+
-+.EX
-+.B vbetool_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type vbetool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type vbetool_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B mtrr_device_t
@@ -90555,6 +98051,8 @@ index 0000000..3d8e16e
+ /sys(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -90581,19 +98079,46 @@ index 0000000..3d8e16e
\ No newline at end of file
diff --git a/man/man8/vdagent_selinux.8 b/man/man8/vdagent_selinux.8
new file mode 100644
-index 0000000..0f174eb
+index 0000000..f3ddb92
--- /dev/null
+++ b/man/man8/vdagent_selinux.8
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,128 @@
+.TH "vdagent_selinux" "8" "vdagent" "dwalsh at redhat.com" "vdagent SELinux Policy documentation"
+.SH "NAME"
+vdagent_selinux \- Security Enhanced Linux Policy for the vdagent processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the vdagent processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the vdagent processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The vdagent processes execute with the vdagent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vdagent_t
++
++
++.SH "ENTRYPOINTS"
++
++The vdagent_t SELinux type can be entered via the "vdagent_exec_t" file type. The default entrypoint paths for the vdagent_t domain are the following:"
++
++/usr/sbin/spice-vdagentd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vdagent policy is very flexible allowing users to setup their vdagent processes in as secure a method as possible.
++.PP
++The following process types are defined for vdagent:
++
++.EX
++.B vdagent_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -90645,27 +98170,9 @@ index 0000000..0f174eb
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vdagent policy is very flexible allowing users to setup their vdagent processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vdagent:
-+
-+.EX
-+.B vdagent_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type vdagent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type vdagent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B vdagent_log_t
@@ -90683,6 +98190,8 @@ index 0000000..0f174eb
+ /var/run/spice-vdagentd\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -90704,33 +98213,46 @@ index 0000000..0f174eb
+selinux(8), vdagent(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/vhostmd_selinux.8 b/man/man8/vhostmd_selinux.8
new file mode 100644
-index 0000000..4a4c83a
+index 0000000..8704d18
--- /dev/null
+++ b/man/man8/vhostmd_selinux.8
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,154 @@
+.TH "vhostmd_selinux" "8" "vhostmd" "dwalsh at redhat.com" "vhostmd SELinux Policy documentation"
+.SH "NAME"
+vhostmd_selinux \- Security Enhanced Linux Policy for the vhostmd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the vhostmd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the vhostmd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The vhostmd processes execute with the vhostmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vhostmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep vhostmd_t
++
++
++.SH "ENTRYPOINTS"
+
++The vhostmd_t SELinux type can be entered via the "vhostmd_exec_t" file type. The default entrypoint paths for the vhostmd_t domain are the following:"
++
++/usr/sbin/vhostmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the vhostmd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vhostmd policy is very flexible allowing users to setup their vhostmd processes in as secure a method as possible.
++.PP
++The following process types are defined for vhostmd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B vhostmd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -90782,27 +98304,9 @@ index 0000000..4a4c83a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vhostmd policy is very flexible allowing users to setup their vhostmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vhostmd:
-+
-+.EX
-+.B vhostmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type vhostmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type vhostmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B vhostmd_tmpfs_t
@@ -90827,6 +98331,26 @@ index 0000000..4a4c83a
+.br
+ /home/[^/]*/VirtualMachines/isos(/.*)?
+.br
++ /home/dwalsh/VirtualMachines/isos(/.*)?
++.br
++ /var/lib/xguest/home/xguest/VirtualMachines/isos(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vhostmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the vhostmd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -90849,33 +98373,46 @@ index 0000000..4a4c83a
+selinux(8), vhostmd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/virsh_selinux.8 b/man/man8/virsh_selinux.8
new file mode 100644
-index 0000000..721ad06
+index 0000000..45cd61d
--- /dev/null
+++ b/man/man8/virsh_selinux.8
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,186 @@
+.TH "virsh_selinux" "8" "virsh" "dwalsh at redhat.com" "virsh SELinux Policy documentation"
+.SH "NAME"
+virsh_selinux \- Security Enhanced Linux Policy for the virsh processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the virsh processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the virsh processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The virsh processes execute with the virsh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virsh_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep virsh_t
++
++
++.SH "ENTRYPOINTS"
++
++The virsh_t SELinux type can be entered via the "virsh_exec_t" file type. The default entrypoint paths for the virsh_t domain are the following:"
+
++/usr/bin/virt-sandbox-service.*, /usr/bin/virsh, /usr/sbin/fence_virtd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the virsh_ssh_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virsh policy is very flexible allowing users to setup their virsh processes in as secure a method as possible.
++.PP
++The following process types are defined for virsh:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B virsh_ssh_t, virsh_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -90907,27 +98444,9 @@ index 0000000..721ad06
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux virsh policy is very flexible allowing users to setup their virsh processes in as secure a method as possible.
-+.PP
-+The following process types are defined for virsh:
-+
-+.EX
-+.B virsh_ssh_t, virsh_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type virsh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type virsh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B ssh_home_t
@@ -90950,6 +98469,14 @@ index 0000000..721ad06
+.br
+ /home/[^/]*/\.shosts
+.br
++ /home/dwalsh/\.ssh(/.*)?
++.br
++ /home/dwalsh/\.shosts
++.br
++ /var/lib/xguest/home/xguest/\.ssh(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.shosts
++.br
+
+.br
+.B svirt_lxc_file_t
@@ -91001,6 +98528,22 @@ index 0000000..721ad06
+.B xenfs_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virsh_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the virsh_ssh_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -91022,19 +98565,46 @@ index 0000000..721ad06
+selinux(8), virsh(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/virt_bridgehelper_selinux.8 b/man/man8/virt_bridgehelper_selinux.8
new file mode 100644
-index 0000000..d31c983
+index 0000000..f59570e
--- /dev/null
+++ b/man/man8/virt_bridgehelper_selinux.8
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,117 @@
+.TH "virt_bridgehelper_selinux" "8" "virt_bridgehelper" "dwalsh at redhat.com" "virt_bridgehelper SELinux Policy documentation"
+.SH "NAME"
+virt_bridgehelper_selinux \- Security Enhanced Linux Policy for the virt_bridgehelper processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the virt_bridgehelper processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the virt_bridgehelper processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The virt_bridgehelper processes execute with the virt_bridgehelper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep virt_bridgehelper_t
++
++
++.SH "ENTRYPOINTS"
++
++The virt_bridgehelper_t SELinux type can be entered via the "virt_bridgehelper_exec_t" file type. The default entrypoint paths for the virt_bridgehelper_t domain are the following:"
++
++/usr/libexec/qemu-bridge-helper
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virt_bridgehelper policy is very flexible allowing users to setup their virt_bridgehelper processes in as secure a method as possible.
++.PP
++The following process types are defined for virt_bridgehelper:
++
++.EX
++.B virt_bridgehelper_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -91062,27 +98632,9 @@ index 0000000..d31c983
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux virt_bridgehelper policy is very flexible allowing users to setup their virt_bridgehelper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for virt_bridgehelper:
-+
-+.EX
-+.B virt_bridgehelper_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type virt_bridgehelper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type virt_bridgehelper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B svirt_home_t
@@ -91095,6 +98647,24 @@ index 0000000..d31c983
+.br
+ /home/[^/]*/\.local/share/gnome-boxes/images(/.*)?
+.br
++ /home/dwalsh/\.libvirt/qemu(/.*)?
++.br
++ /home/dwalsh/\.cache/libvirt/qemu(/.*)?
++.br
++ /home/dwalsh/\.config/libvirt/qemu(/.*)?
++.br
++ /home/dwalsh/\.local/share/gnome-boxes/images(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.libvirt/qemu(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/libvirt/qemu(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/libvirt/qemu(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local/share/gnome-boxes/images(/.*)?
++.br
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -91115,21 +98685,50 @@ index 0000000..d31c983
+
+.SH "SEE ALSO"
+selinux(8), virt_bridgehelper(8), semanage(8), restorecon(8), chcon(1)
++, virt_qmf_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/virt_qmf_selinux.8 b/man/man8/virt_qmf_selinux.8
new file mode 100644
-index 0000000..f87e064
+index 0000000..d214ebb
--- /dev/null
+++ b/man/man8/virt_qmf_selinux.8
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,89 @@
+.TH "virt_qmf_selinux" "8" "virt_qmf" "dwalsh at redhat.com" "virt_qmf SELinux Policy documentation"
+.SH "NAME"
+virt_qmf_selinux \- Security Enhanced Linux Policy for the virt_qmf processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the virt_qmf processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the virt_qmf processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The virt_qmf processes execute with the virt_qmf_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep virt_qmf_t
++
++
++.SH "ENTRYPOINTS"
++
++The virt_qmf_t SELinux type can be entered via the "virt_qmf_exec_t" file type. The default entrypoint paths for the virt_qmf_t domain are the following:"
++
++/usr/sbin/libvirt-qmf
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virt_qmf policy is very flexible allowing users to setup their virt_qmf processes in as secure a method as possible.
++.PP
++The following process types are defined for virt_qmf:
++
++.EX
++.B virt_qmf_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -91157,27 +98756,11 @@ index 0000000..f87e064
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux virt_qmf policy is very flexible allowing users to setup their virt_qmf processes in as secure a method as possible.
-+.PP
-+The following process types are defined for virt_qmf:
-+
-+.EX
-+.B virt_qmf_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type virt_qmf_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type virt_qmf_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -91198,35 +98781,50 @@ index 0000000..f87e064
+
+.SH "SEE ALSO"
+selinux(8), virt_qmf(8), semanage(8), restorecon(8), chcon(1)
++, virt_bridgehelper_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/virtd_lxc_selinux.8 b/man/man8/virtd_lxc_selinux.8
new file mode 100644
-index 0000000..c0fe284
+index 0000000..b30a56c
--- /dev/null
+++ b/man/man8/virtd_lxc_selinux.8
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,143 @@
+.TH "virtd_lxc_selinux" "8" "virtd_lxc" "dwalsh at redhat.com" "virtd_lxc SELinux Policy documentation"
+.SH "NAME"
+virtd_lxc_selinux \- Security Enhanced Linux Policy for the virtd_lxc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the virtd_lxc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the virtd_lxc processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The virtd_lxc processes execute with the virtd_lxc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep virtd_lxc_t
++
++
++.SH "ENTRYPOINTS"
+
++The virtd_lxc_t SELinux type can be entered via the "virtd_lxc_exec_t" file type. The default entrypoint paths for the virtd_lxc_t domain are the following:"
++
++/usr/libexec/libvirt_lxc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the virtd_lxc_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virtd_lxc policy is very flexible allowing users to setup their virtd_lxc processes in as secure a method as possible.
++.PP
++The following process types are defined for virtd_lxc:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B virtd_lxc_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -91254,27 +98852,9 @@ index 0000000..c0fe284
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux virtd_lxc policy is very flexible allowing users to setup their virtd_lxc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for virtd_lxc:
-+
-+.EX
-+.B virtd_lxc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type virtd_lxc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type virtd_lxc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B cgroup_t
@@ -91316,6 +98896,22 @@ index 0000000..c0fe284
+ /var/run/libvirt-sandbox(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the virtd_lxc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -91335,21 +98931,50 @@ index 0000000..c0fe284
+
+.SH "SEE ALSO"
+selinux(8), virtd_lxc(8), semanage(8), restorecon(8), chcon(1)
-+, virtd_selinux(8)
++, virtd_selinux(8), virtd_selinux(8)
\ No newline at end of file
diff --git a/man/man8/virtd_selinux.8 b/man/man8/virtd_selinux.8
new file mode 100644
-index 0000000..a62bc55
+index 0000000..f211332
--- /dev/null
+++ b/man/man8/virtd_selinux.8
-@@ -0,0 +1,421 @@
+@@ -0,0 +1,456 @@
+.TH "virtd_selinux" "8" "virtd" "dwalsh at redhat.com" "virtd SELinux Policy documentation"
+.SH "NAME"
+virtd_selinux \- Security Enhanced Linux Policy for the virtd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the virtd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the virtd processes via flexible mandatory access control.
++
++The virtd processes execute with the virtd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep virtd_t
++
++
++.SH "ENTRYPOINTS"
++
++The virtd_t SELinux type can be entered via the "virtd_exec_t" file type. The default entrypoint paths for the virtd_t domain are the following:"
++
++/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/vios-proxy-host, /usr/bin/imgfac\.py, /usr/bin/vios-proxy-guest, /usr/bin/nova-compute, /usr/sbin/libvirtd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.
++.PP
++The following process types are defined for virtd:
++
++.EX
++.B virtd_lxc_t, virt_qmf_t, virt_bridgehelper_t, virtd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. virtd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virtd with the tightest access possible.
@@ -91432,22 +99057,6 @@ index 0000000..a62bc55
+.B setsebool -P virt_use_samba 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_t, virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the virtd_t, virtd_lxc_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -91538,27 +99147,9 @@ index 0000000..a62bc55
+.EE
+udp 16509,16514
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for virtd:
-+
-+.EX
-+.B virtd_lxc_t, virt_qmf_t, virt_bridgehelper_t, virtd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type virtd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type virtd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -91687,6 +99278,30 @@ index 0000000..a62bc55
+.br
+ /home/[^/]*/\.cache/gnome-boxes(/.*)?
+.br
++ /home/dwalsh/\.libvirt(/.*)?
++.br
++ /home/dwalsh/\.virtinst(/.*)?
++.br
++ /home/dwalsh/\.cache/libvirt(/.*)?
++.br
++ /home/dwalsh/\.config/libvirt(/.*)?
++.br
++ /home/dwalsh/VirtualMachines(/.*)?
++.br
++ /home/dwalsh/\.cache/gnome-boxes(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.libvirt(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.virtinst(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/libvirt(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.config/libvirt(/.*)?
++.br
++ /var/lib/xguest/home/xguest/VirtualMachines(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.cache/gnome-boxes(/.*)?
++.br
+
+.br
+.B virt_image_type
@@ -91738,6 +99353,22 @@ index 0000000..a62bc55
+ /var/run/libvirt(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_t, virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the virtd_t, virtd_lxc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -91767,33 +99398,46 @@ index 0000000..a62bc55
\ No newline at end of file
diff --git a/man/man8/vlock_selinux.8 b/man/man8/vlock_selinux.8
new file mode 100644
-index 0000000..2322b2f
+index 0000000..c6faa2d
--- /dev/null
+++ b/man/man8/vlock_selinux.8
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,128 @@
+.TH "vlock_selinux" "8" "vlock" "dwalsh at redhat.com" "vlock SELinux Policy documentation"
+.SH "NAME"
+vlock_selinux \- Security Enhanced Linux Policy for the vlock processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the vlock processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the vlock processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The vlock processes execute with the vlock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep vlock_t
++
++
++.SH "ENTRYPOINTS"
+
++The vlock_t SELinux type can be entered via the "vlock_exec_t" file type. The default entrypoint paths for the vlock_t domain are the following:"
++
++/usr/sbin/vlock-main
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the vlock_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vlock policy is very flexible allowing users to setup their vlock processes in as secure a method as possible.
++.PP
++The following process types are defined for vlock:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B vlock_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -91821,27 +99465,9 @@ index 0000000..2322b2f
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vlock policy is very flexible allowing users to setup their vlock processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vlock:
-+
-+.EX
-+.B vlock_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type vlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type vlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B faillog_t
@@ -91869,6 +99495,22 @@ index 0000000..2322b2f
+ /var/run/pcscd\.comm
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the vlock_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -91890,19 +99532,46 @@ index 0000000..2322b2f
+selinux(8), vlock(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/vmware_host_selinux.8 b/man/man8/vmware_host_selinux.8
new file mode 100644
-index 0000000..e10c9b4
+index 0000000..2e6c4ce
--- /dev/null
+++ b/man/man8/vmware_host_selinux.8
-@@ -0,0 +1,130 @@
+@@ -0,0 +1,141 @@
+.TH "vmware_host_selinux" "8" "vmware_host" "dwalsh at redhat.com" "vmware_host SELinux Policy documentation"
+.SH "NAME"
+vmware_host_selinux \- Security Enhanced Linux Policy for the vmware_host processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the vmware_host processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the vmware_host processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The vmware_host processes execute with the vmware_host_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vmware_host_t
++
++
++.SH "ENTRYPOINTS"
++
++The vmware_host_t SELinux type can be entered via the "vmware_host_exec_t" file type. The default entrypoint paths for the vmware_host_t domain are the following:"
++
++/usr/bin/vmware-smbpasswd\.bin, /usr/bin/vmware-smbd, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-dhcpd, /usr/bin/vmnet-bridge, /usr/bin/vmware-nmbd, /usr/bin/vmnet-netifup, /usr/sbin/vmware-guest.*, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmware-network, /usr/bin/vmnet-sniffer, /usr/bin/vmware-smbpasswd, /usr/lib/vmware-tools/sbin32/vmware.*, /usr/lib/vmware/bin/vmware-vmx
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vmware_host policy is very flexible allowing users to setup their vmware_host processes in as secure a method as possible.
++.PP
++The following process types are defined for vmware_host:
++
++.EX
++.B vmware_host_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -91950,27 +99619,9 @@ index 0000000..e10c9b4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vmware_host policy is very flexible allowing users to setup their vmware_host processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vmware_host:
-+
-+.EX
-+.B vmware_host_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type vmware_host_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type vmware_host_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B systemd_passwd_var_run_t
@@ -92004,6 +99655,8 @@ index 0000000..e10c9b4
+ /usr/lib/vmware/config
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -92023,23 +99676,50 @@ index 0000000..e10c9b4
+
+.SH "SEE ALSO"
+selinux(8), vmware_host(8), semanage(8), restorecon(8), chcon(1)
-+, vmware_selinux(8)
++, vmware_selinux(8), vmware_selinux(8)
\ No newline at end of file
diff --git a/man/man8/vmware_selinux.8 b/man/man8/vmware_selinux.8
new file mode 100644
-index 0000000..eec481c
+index 0000000..d479e7b
--- /dev/null
+++ b/man/man8/vmware_selinux.8
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,255 @@
+.TH "vmware_selinux" "8" "vmware" "dwalsh at redhat.com" "vmware SELinux Policy documentation"
+.SH "NAME"
+vmware_selinux \- Security Enhanced Linux Policy for the vmware processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the vmware processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the vmware processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The vmware processes execute with the vmware_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vmware_t
++
++
++.SH "ENTRYPOINTS"
++
++The vmware_t SELinux type can be entered via the "vmware_exec_t" file type. The default entrypoint paths for the vmware_t domain are the following:"
++
++/usr/lib/vmware/bin/vmware-mks, /usr/lib/vmware/bin/vmplayer, /usr/bin/vmware-ping, /usr/lib/vmware/bin/vmware-ui, /usr/sbin/vmware-serverd, /usr/bin/vmware-wizard, /usr/bin/vmware
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vmware policy is very flexible allowing users to setup their vmware processes in as secure a method as possible.
++.PP
++The following process types are defined for vmware:
++
++.EX
++.B vmware_t, vmware_host_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -92163,27 +99843,9 @@ index 0000000..eec481c
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vmware policy is very flexible allowing users to setup their vmware processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vmware:
-+
-+.EX
-+.B vmware_t, vmware_host_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type vmware_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type vmware_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B usbfs_t
@@ -92204,12 +99866,28 @@ index 0000000..eec481c
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B vmware_conf_t
+
+ /home/[^/]*/\.vmware[^/]*/.*\.cfg
+.br
++ /home/dwalsh/\.vmware[^/]*/.*\.cfg
++.br
++ /var/lib/xguest/home/xguest/\.vmware[^/]*/.*\.cfg
++.br
+
+.br
+.B vmware_file_t
@@ -92218,6 +99896,14 @@ index 0000000..eec481c
+.br
+ /home/[^/]*/\.vmware(/.*)?
+.br
++ /home/dwalsh/vmware(/.*)?
++.br
++ /home/dwalsh/\.vmware(/.*)?
++.br
++ /var/lib/xguest/home/xguest/vmware(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.vmware(/.*)?
++.br
+
+.br
+.B vmware_pid_t
@@ -92231,6 +99917,8 @@ index 0000000..eec481c
+.B vmware_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -92254,19 +99942,46 @@ index 0000000..eec481c
\ No newline at end of file
diff --git a/man/man8/vnstat_selinux.8 b/man/man8/vnstat_selinux.8
new file mode 100644
-index 0000000..0a663db
+index 0000000..35d8b26
--- /dev/null
+++ b/man/man8/vnstat_selinux.8
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,119 @@
+.TH "vnstat_selinux" "8" "vnstat" "dwalsh at redhat.com" "vnstat SELinux Policy documentation"
+.SH "NAME"
+vnstat_selinux \- Security Enhanced Linux Policy for the vnstat processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the vnstat processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the vnstat processes via flexible mandatory access control.
++
++The vnstat processes execute with the vnstat_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vnstat_t
+
-+.SH NSSWITCH DOMAIN
++
++.SH "ENTRYPOINTS"
++
++The vnstat_t SELinux type can be entered via the "vnstat_exec_t" file type. The default entrypoint paths for the vnstat_t domain are the following:"
++
++/usr/bin/vnstat
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vnstat policy is very flexible allowing users to setup their vnstat processes in as secure a method as possible.
++.PP
++The following process types are defined for vnstat:
++
++.EX
++.B vnstat_t, vnstatd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -92318,27 +100033,9 @@ index 0000000..0a663db
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vnstat policy is very flexible allowing users to setup their vnstat processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vnstat:
-+
-+.EX
-+.B vnstat_t, vnstatd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type vnstat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type vnstat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B vnstatd_var_lib_t
@@ -92346,6 +100043,8 @@ index 0000000..0a663db
+ /var/lib/vnstat(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -92369,19 +100068,46 @@ index 0000000..0a663db
\ No newline at end of file
diff --git a/man/man8/vnstatd_selinux.8 b/man/man8/vnstatd_selinux.8
new file mode 100644
-index 0000000..96ff2ef
+index 0000000..1508939
--- /dev/null
+++ b/man/man8/vnstatd_selinux.8
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,117 @@
+.TH "vnstatd_selinux" "8" "vnstatd" "dwalsh at redhat.com" "vnstatd SELinux Policy documentation"
+.SH "NAME"
+vnstatd_selinux \- Security Enhanced Linux Policy for the vnstatd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the vnstatd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the vnstatd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The vnstatd processes execute with the vnstatd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep vnstatd_t
++
++
++.SH "ENTRYPOINTS"
++
++The vnstatd_t SELinux type can be entered via the "vnstatd_exec_t" file type. The default entrypoint paths for the vnstatd_t domain are the following:"
++
++/usr/sbin/vnstatd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible.
++.PP
++The following process types are defined for vnstatd:
++
++.EX
++.B vnstat_t, vnstatd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -92425,27 +100151,9 @@ index 0000000..96ff2ef
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vnstatd:
-+
-+.EX
-+.B vnstat_t, vnstatd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type vnstatd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type vnstatd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B vnstatd_var_lib_t
@@ -92459,6 +100167,8 @@ index 0000000..96ff2ef
+ /var/run/vnstat\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -92482,33 +100192,46 @@ index 0000000..96ff2ef
\ No newline at end of file
diff --git a/man/man8/vpnc_selinux.8 b/man/man8/vpnc_selinux.8
new file mode 100644
-index 0000000..52873e2
+index 0000000..d2851b0
--- /dev/null
+++ b/man/man8/vpnc_selinux.8
-@@ -0,0 +1,147 @@
+@@ -0,0 +1,158 @@
+.TH "vpnc_selinux" "8" "vpnc" "dwalsh at redhat.com" "vpnc SELinux Policy documentation"
+.SH "NAME"
+vpnc_selinux \- Security Enhanced Linux Policy for the vpnc processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the vpnc processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the vpnc processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The vpnc processes execute with the vpnc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vpnc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep vpnc_t
+
++
++.SH "ENTRYPOINTS"
++
++The vpnc_t SELinux type can be entered via the "vpnc_exec_t" file type. The default entrypoint paths for the vpnc_t domain are the following:"
++
++/usr/sbin/vpnc, /usr/bin/openconnect, /sbin/vpnc
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the vpnc_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible.
++.PP
++The following process types are defined for vpnc:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B vpnc_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -92556,27 +100279,9 @@ index 0000000..52873e2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible.
-+.PP
-+The following process types are defined for vpnc:
-+
-+.EX
-+.B vpnc_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type vpnc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type vpnc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B net_conf_t
@@ -92614,6 +100319,22 @@ index 0000000..52873e2
+ /var/run/vpnc(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vpnc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the vpnc_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -92635,33 +100356,46 @@ index 0000000..52873e2
+selinux(8), vpnc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/wdmd_selinux.8 b/man/man8/wdmd_selinux.8
new file mode 100644
-index 0000000..22d7269
+index 0000000..abbd5ba
--- /dev/null
+++ b/man/man8/wdmd_selinux.8
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,136 @@
+.TH "wdmd_selinux" "8" "wdmd" "dwalsh at redhat.com" "wdmd SELinux Policy documentation"
+.SH "NAME"
+wdmd_selinux \- Security Enhanced Linux Policy for the wdmd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the wdmd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the wdmd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The wdmd processes execute with the wdmd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wdmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep wdmd_t
++
++
++.SH "ENTRYPOINTS"
+
++The wdmd_t SELinux type can be entered via the "wdmd_exec_t" file type. The default entrypoint paths for the wdmd_t domain are the following:"
++
++/usr/sbin/wdmd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the wdmd_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wdmd policy is very flexible allowing users to setup their wdmd processes in as secure a method as possible.
++.PP
++The following process types are defined for wdmd:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B wdmd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -92713,27 +100447,9 @@ index 0000000..22d7269
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux wdmd policy is very flexible allowing users to setup their wdmd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for wdmd:
-+
-+.EX
-+.B wdmd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type wdmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type wdmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B wdmd_tmpfs_t
@@ -92745,6 +100461,22 @@ index 0000000..22d7269
+ /var/run/wdmd(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wdmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the wdmd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -92766,7 +100498,7 @@ index 0000000..22d7269
+selinux(8), wdmd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/webadm_selinux.8 b/man/man8/webadm_selinux.8
new file mode 100644
-index 0000000..6cd1bb8
+index 0000000..7c0b82c
--- /dev/null
+++ b/man/man8/webadm_selinux.8
@@ -0,0 +1,240 @@
@@ -92841,7 +100573,7 @@ index 0000000..6cd1bb8
+
+.SH "MANAGED FILES"
+
-+The SELinux user type webadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type webadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B httpd_config_t
@@ -93013,33 +100745,46 @@ index 0000000..6cd1bb8
\ No newline at end of file
diff --git a/man/man8/webalizer_selinux.8 b/man/man8/webalizer_selinux.8
new file mode 100644
-index 0000000..1ae795d
+index 0000000..cefec7b
--- /dev/null
+++ b/man/man8/webalizer_selinux.8
-@@ -0,0 +1,189 @@
+@@ -0,0 +1,200 @@
+.TH "webalizer_selinux" "8" "webalizer" "dwalsh at redhat.com" "webalizer SELinux Policy documentation"
+.SH "NAME"
+webalizer_selinux \- Security Enhanced Linux Policy for the webalizer processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the webalizer processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the webalizer processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The webalizer processes execute with the webalizer_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the webalizer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep webalizer_t
++
++
++.SH "ENTRYPOINTS"
+
++The webalizer_t SELinux type can be entered via the "webalizer_exec_t" file type. The default entrypoint paths for the webalizer_t domain are the following:"
++
++/usr/bin/webalizer, /usr/bin/awffull
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the webalizer_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux webalizer policy is very flexible allowing users to setup their webalizer processes in as secure a method as possible.
++.PP
++The following process types are defined for webalizer:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B webalizer_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -93111,27 +100856,9 @@ index 0000000..1ae795d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux webalizer policy is very flexible allowing users to setup their webalizer processes in as secure a method as possible.
-+.PP
-+The following process types are defined for webalizer:
-+
-+.EX
-+.B webalizer_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type webalizer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type webalizer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -93187,6 +100914,22 @@ index 0000000..1ae795d
+ /var/lib/webalizer(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the webalizer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the webalizer_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -93208,33 +100951,46 @@ index 0000000..1ae795d
+selinux(8), webalizer(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/winbind_helper_selinux.8 b/man/man8/winbind_helper_selinux.8
new file mode 100644
-index 0000000..ba1693e
+index 0000000..e2f59d4
--- /dev/null
+++ b/man/man8/winbind_helper_selinux.8
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,103 @@
+.TH "winbind_helper_selinux" "8" "winbind_helper" "dwalsh at redhat.com" "winbind_helper SELinux Policy documentation"
+.SH "NAME"
+winbind_helper_selinux \- Security Enhanced Linux Policy for the winbind_helper processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the winbind_helper processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the winbind_helper processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The winbind_helper processes execute with the winbind_helper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the winbind_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep winbind_helper_t
+
++
++.SH "ENTRYPOINTS"
++
++The winbind_helper_t SELinux type can be entered via the "winbind_helper_exec_t" file type. The default entrypoint paths for the winbind_helper_t domain are the following:"
++
++/usr/bin/ntlm_auth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the winbind_helper_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux winbind_helper policy is very flexible allowing users to setup their winbind_helper processes in as secure a method as possible.
++.PP
++The following process types are defined for winbind_helper:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B winbind_helper_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -93262,27 +101018,25 @@ index 0000000..ba1693e
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type winbind_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux winbind_helper policy is very flexible allowing users to setup their winbind_helper processes in as secure a method as possible.
-+.PP
-+The following process types are defined for winbind_helper:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the winbind_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B winbind_helper_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the winbind_helper_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type winbind_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -93303,47 +101057,60 @@ index 0000000..ba1693e
+
+.SH "SEE ALSO"
+selinux(8), winbind_helper(8), semanage(8), restorecon(8), chcon(1)
-+, winbind_selinux(8)
++, winbind_selinux(8), winbind_selinux(8)
\ No newline at end of file
diff --git a/man/man8/winbind_selinux.8 b/man/man8/winbind_selinux.8
new file mode 100644
-index 0000000..975d839
+index 0000000..0ccdd85
--- /dev/null
+++ b/man/man8/winbind_selinux.8
-@@ -0,0 +1,260 @@
+@@ -0,0 +1,279 @@
+.TH "winbind_selinux" "8" "winbind" "dwalsh at redhat.com" "winbind SELinux Policy documentation"
+.SH "NAME"
+winbind_selinux \- Security Enhanced Linux Policy for the winbind processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the winbind processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the winbind processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. winbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run winbind with the tightest access possible.
++The winbind processes execute with the winbind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean.
++.B ps -eZ | grep winbind_t
+
-+.EX
-+.B setsebool -P httpd_mod_auth_ntlm_winbind 1
-+.EE
+
-+.SH NSSWITCH DOMAIN
++.SH "ENTRYPOINTS"
+
++The winbind_t SELinux type can be entered via the "winbind_exec_t" file type. The default entrypoint paths for the winbind_t domain are the following:"
++
++/usr/sbin/winbindd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the winbind_helper_t, winbind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux winbind policy is very flexible allowing users to setup their winbind processes in as secure a method as possible.
++.PP
++The following process types are defined for winbind:
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B winbind_helper_t, winbind_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. winbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run winbind with the tightest access possible.
++
+
+.PP
-+If you want to allow confined applications to run with kerberos for the winbind_helper_t, winbind_t, you must turn on the kerberos_enabled boolean.
++If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P httpd_mod_auth_ntlm_winbind 1
+.EE
+
+.SH FILE CONTEXTS
@@ -93400,27 +101167,9 @@ index 0000000..975d839
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux winbind policy is very flexible allowing users to setup their winbind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for winbind:
-+
-+.EX
-+.B winbind_helper_t, winbind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type winbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type winbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B auth_cache_t
@@ -93523,6 +101272,10 @@ index 0000000..975d839
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
+
+.br
+.B user_tmp_t
@@ -93531,6 +101284,10 @@ index 0000000..975d839
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
+
+.br
+.B winbind_log_t
@@ -93548,6 +101305,22 @@ index 0000000..975d839
+ /var/cache/samba/winbindd_privileged(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the winbind_helper_t, winbind_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the winbind_helper_t, winbind_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -93574,17 +101347,46 @@ index 0000000..975d839
\ No newline at end of file
diff --git a/man/man8/wine_selinux.8 b/man/man8/wine_selinux.8
new file mode 100644
-index 0000000..1aec24d
+index 0000000..425eeb1
--- /dev/null
+++ b/man/man8/wine_selinux.8
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,119 @@
+.TH "wine_selinux" "8" "wine" "dwalsh at redhat.com" "wine SELinux Policy documentation"
+.SH "NAME"
+wine_selinux \- Security Enhanced Linux Policy for the wine processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the wine processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the wine processes via flexible mandatory access control.
++
++The wine processes execute with the wine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep wine_t
++
++
++.SH "ENTRYPOINTS"
++
++The wine_t SELinux type can be entered via the "wine_exec_t" file type. The default entrypoint paths for the wine_t domain are the following:"
++
++/opt/google/picasa(/.*)?/bin/msiexec, /usr/bin/regedit, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/regsvr32, /usr/bin/msiexec, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/teamviewer(/.*)?/bin/wine.*, /usr/bin/wine.*, /opt/google/picasa(/.*)?/bin/progman, /opt/picasa/wine/bin/wine.*, /usr/bin/notepad, /opt/cxoffice/bin/wine.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wine policy is very flexible allowing users to setup their wine processes in as secure a method as possible.
++.PP
++The following process types are defined for wine:
++
++.EX
++.B wine_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. wine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run wine with the tightest access possible.
@@ -93597,8 +101399,6 @@ index 0000000..1aec24d
+.B setsebool -P wine_mmap_zero_ignore 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -93637,32 +101437,16 @@ index 0000000..1aec24d
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux wine policy is very flexible allowing users to setup their wine processes in as secure a method as possible.
-+.PP
-+The following process types are defined for wine:
-+
-+.EX
-+.B wine_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type wine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type wine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B wine_tmp_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -93689,33 +101473,46 @@ index 0000000..1aec24d
\ No newline at end of file
diff --git a/man/man8/wireshark_selinux.8 b/man/man8/wireshark_selinux.8
new file mode 100644
-index 0000000..a546865
+index 0000000..f5cf304
--- /dev/null
+++ b/man/man8/wireshark_selinux.8
-@@ -0,0 +1,151 @@
+@@ -0,0 +1,182 @@
+.TH "wireshark_selinux" "8" "wireshark" "dwalsh at redhat.com" "wireshark SELinux Policy documentation"
+.SH "NAME"
+wireshark_selinux \- Security Enhanced Linux Policy for the wireshark processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the wireshark processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the wireshark processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The wireshark processes execute with the wireshark_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wireshark_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep wireshark_t
++
++
++.SH "ENTRYPOINTS"
++
++The wireshark_t SELinux type can be entered via the "wireshark_exec_t" file type. The default entrypoint paths for the wireshark_t domain are the following:"
+
++/usr/bin/wireshark
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the wireshark_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wireshark policy is very flexible allowing users to setup their wireshark processes in as secure a method as possible.
++.PP
++The following process types are defined for wireshark:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B wireshark_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -93767,27 +101564,9 @@ index 0000000..a546865
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux wireshark policy is very flexible allowing users to setup their wireshark processes in as secure a method as possible.
-+.PP
-+The following process types are defined for wireshark:
-+
-+.EX
-+.B wireshark_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type wireshark_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type wireshark_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B user_fonts_cache_t
@@ -93804,18 +101583,38 @@ index 0000000..a546865
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_home_t
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
+
+.br
+.B wireshark_home_t
+
+ /home/[^/]*/\.wireshark(/.*)?
+.br
++ /home/dwalsh/\.wireshark(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.wireshark(/.*)?
++.br
+
+.br
+.B wireshark_tmp_t
@@ -93825,6 +101624,22 @@ index 0000000..a546865
+.B wireshark_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wireshark_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the wireshark_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -93846,19 +101661,46 @@ index 0000000..a546865
+selinux(8), wireshark(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/wpa_cli_selinux.8 b/man/man8/wpa_cli_selinux.8
new file mode 100644
-index 0000000..48ec260
+index 0000000..d8311e2
--- /dev/null
+++ b/man/man8/wpa_cli_selinux.8
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,92 @@
+.TH "wpa_cli_selinux" "8" "wpa_cli" "dwalsh at redhat.com" "wpa_cli SELinux Policy documentation"
+.SH "NAME"
+wpa_cli_selinux \- Security Enhanced Linux Policy for the wpa_cli processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the wpa_cli processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the wpa_cli processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The wpa_cli processes execute with the wpa_cli_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep wpa_cli_t
++
++
++.SH "ENTRYPOINTS"
++
++The wpa_cli_t SELinux type can be entered via the "wpa_cli_exec_t" file type. The default entrypoint paths for the wpa_cli_t domain are the following:"
++
++/usr/sbin/wpa_cli, /sbin/wpa_cli
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux wpa_cli policy is very flexible allowing users to setup their wpa_cli processes in as secure a method as possible.
++.PP
++The following process types are defined for wpa_cli:
++
++.EX
++.B wpa_cli_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -93890,27 +101732,11 @@ index 0000000..48ec260
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux wpa_cli policy is very flexible allowing users to setup their wpa_cli processes in as secure a method as possible.
-+.PP
-+The following process types are defined for wpa_cli:
-+
-+.EX
-+.B wpa_cli_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type wpa_cli_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type wpa_cli_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -93933,33 +101759,46 @@ index 0000000..48ec260
+selinux(8), wpa_cli(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/xauth_selinux.8 b/man/man8/xauth_selinux.8
new file mode 100644
-index 0000000..b8d2d9a
+index 0000000..a4c3a32
--- /dev/null
+++ b/man/man8/xauth_selinux.8
-@@ -0,0 +1,203 @@
+@@ -0,0 +1,238 @@
+.TH "xauth_selinux" "8" "xauth" "dwalsh at redhat.com" "xauth SELinux Policy documentation"
+.SH "NAME"
+xauth_selinux \- Security Enhanced Linux Policy for the xauth processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the xauth processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the xauth processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The xauth processes execute with the xauth_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep xauth_t
++
++
++.SH "ENTRYPOINTS"
++
++The xauth_t SELinux type can be entered via the "xauth_exec_t" file type. The default entrypoint paths for the xauth_t domain are the following:"
+
++/usr/bin/xauth, /usr/X11R6/bin/xauth
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the xauth_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xauth policy is very flexible allowing users to setup their xauth processes in as secure a method as possible.
++.PP
++The following process types are defined for xauth:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B xauth_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -94011,33 +101850,19 @@ index 0000000..b8d2d9a
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xauth policy is very flexible allowing users to setup their xauth processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xauth:
-+
-+.EX
-+.B xauth_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type xauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type xauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B user_home_t
+
+ /home/[^/]*/.+
+.br
++ /home/dwalsh/.+
++.br
++ /var/lib/xguest/home/xguest/.+
++.br
+
+.br
+.B user_tmp_t
@@ -94046,6 +101871,10 @@ index 0000000..b8d2d9a
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
+
+.br
+.B xauth_home_t
@@ -94074,6 +101903,22 @@ index 0000000..b8d2d9a
+.br
+ /home/[^/]*/\.Xauthority.*
+.br
++ /home/dwalsh/\.xauth.*
++.br
++ /home/dwalsh/\.Xauth.*
++.br
++ /home/dwalsh/\.serverauth.*
++.br
++ /home/dwalsh/\.Xauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.serverauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauthority.*
++.br
+
+.br
+.B xauth_tmp_t
@@ -94121,6 +101966,22 @@ index 0000000..b8d2d9a
+ /var/run/gdm_socket
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the xauth_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -94142,50 +102003,63 @@ index 0000000..b8d2d9a
+selinux(8), xauth(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/xdm_selinux.8 b/man/man8/xdm_selinux.8
new file mode 100644
-index 0000000..28ae2f9
+index 0000000..fc348ab
--- /dev/null
+++ b/man/man8/xdm_selinux.8
-@@ -0,0 +1,709 @@
+@@ -0,0 +1,772 @@
+.TH "xdm_selinux" "8" "xdm" "dwalsh at redhat.com" "xdm SELinux Policy documentation"
+.SH "NAME"
+xdm_selinux \- Security Enhanced Linux Policy for the xdm processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the xdm processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the xdm processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. xdm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xdm with the tightest access possible.
++The xdm processes execute with the xdm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
++.B ps -eZ | grep xdm_t
+
-+.EX
-+.B setsebool -P xdm_sysadm_login 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The xdm_t SELinux type can be entered via the "xdm_exec_t,bin_t" file types. The default entrypoint paths for the xdm_t domain are the following:"
++
++/usr/bin/slim, /usr/(s)?bin/lightdm*, /usr/(s)?bin/[mxgkw]dm, /usr/sbin/mdm-binary, /usr/(s)?bin/lxdm(-binary)?, /usr/X11R6/bin/[xgkw]dm, /usr/(s)?bin/gdm-binary, /usr/bin/gpe-dm, /opt/kde3/bin/kdm, /etc/ppp/ip-up\..*, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /usr/lib/virtualbox/VBoxManage, /usr/lib/.*/scripts(/.*)?, /etc/ppp/ip-down\..*, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/shorewall-perl(/.*)?, /usr/Brother(/.*)?, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/lib/mailman.*/mail(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/share/cluster/ocf-shellfuncs, /bin, /usr/lib/.*/program(/.*)?, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/apr-0/build/libtool, /usr/lib/pm-utils(/.*)?, /etc/sysconfig/network-scripts/net.*, /usr/share/system-config-language/system-config-language, /usr/lib/vte/gnome-pty-helper, /etc/lxdm/Pre.*, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/nagios/plugins(/.*)?, /usr/share/Packag
eKit/helpers(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/fence(/.*)?, /etc/sysconfig/network-scripts/init.*, /usr/lib/xulrunner[^/]*/updater, /etc/mcelog/cache-error-trigger, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-netboot/pxeos\.py, /usr/share/cluster/.*\.sh, /usr/lib/udev/devices/MAKEDEV, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/mc/extfs/.*, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /var/qmail/rc, /var/mailman.*/bin(/.*)?, /usr/share/system-config-nfs/system-config-nfs\.py, /sbin, /usr/share/texmf/web2c/mktexupd, /usr/lib/readahead(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/xen/bin(/.*)?, /usr/share/Modules/init(/.*)?, /var/qmail/bin, /opt/google/talkplugin(/.*)?, /etc/profile.d(/.*)?, /usr/share/hwbrowser/hwbrowser, /usr/share/dayplanner/dayplanner, /usr/lib/nspluginwrapper/np.*, /usr/share/printconf/util/print\.py, /usr/lib/[^/]*/run-mozilla\.sh, /usr/linuxprinter/filters(/.*)?, /usr/share/system-config-network/neat-control\.py,
/usr/lib/[^/]*/mozilla-xremote-client, /usr/share/hal/scripts(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/share/system-config-selinux/polgen\.py, /usr/lib(.*/)?sbin(/.*)?, /lib/udev/devices/MAKEDEV, /etc/vmware-tools(/.*)?, /etc/PackageKit/events(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /usr/share/sectool/.*\.py, /etc/pki/tls/certs/make-dummy-cert, /usr/lib/rpm/rpmd, /usr/lib/tuned/.*/.*\.sh, /usr/share/cluster/svclib_nfslock, /usr/libexec(/.*)?, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/apr-0/build/[^/]+\.sh, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /bin/mountpoint, /usr/share/rhn/rhn_applet/needed-packages\.py, /lib/security/pam_krb5(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/rpm/rpmk, /etc/apcupsd/commok, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/clamav/freshclam-sleep, /usr/lib/mediawiki/math/texvc.*, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/xfce4(/.*)?, /usr/share/system-config-services/system-config-services, /opt/(.*
/)?libexec(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /usr/lib/debug/sbin(/.*)?, /etc/sysconfig/libvirtd, /etc/cron.weekly(/.*)?, /usr/lib/ccache/bin(/.*)?, /sbin/.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /usr/lib/yp/.+, /usr/share/wicd/daemon(/.*)?, /etc/ppp/ipv6-up\..*, /etc/acpi/actions(/.*)?, /etc/sysconfig/network-scripts/ifdown.*, /usr/share/cluster/SAPDatabase, /usr/share/system-config-soundcard/system-config-soundcard, /usr/lib/udev/scsi_id, /etc/pm/power\.d(/.*)?, /usr/share/system-config-services/gui\.py, /etc/lxdm/Xsession, /usr/lib/cyrus-imapd/.*, /usr/sbin/insmod_ksymoops_clean, /etc/cipe/ip-down.*, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/share/shorewall/compiler\.pl, /usr/share/pydict/pydict\.py, /dev/MAKEDEV, /usr/share/shorewall-shell(/.*)?, /emul/ia32-linux/bin(/.*)?, /root/bin(/.*)?, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/system-config-selinux\.py, /etc/ppp/ipv6-down
\..*, /usr/share/pwlib/make/ptlib-config, /usr/lib/ConsoleKit/scripts(/.*)?, /opt/(.*/)?bin(/.*)?, /etc/init\.d/functions, /lib/readahead(/.*)?, /etc/apcupsd/apccontrol, /usr/share/system-config-samba/system-config-samba\.py, /usr/lib/misc/sftp-server, /etc/apcupsd/onbattery, /usr/lib/qt.*/bin(/.*)?, /usr/share/cvs/contrib/rcs2log, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/fedora-usermgmt/wrapper, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/share/ssl/misc(/.*)?, /etc/apcupsd/changeme, /etc/apcupsd/offbattery, /etc/apcupsd/commfailure, /etc/sysconfig/readonly-root, /etc/cron.monthly(/.*)?, /var/ftp/bin(/.*)?, /usr/lib/xfce4/xfwm4/helper-dialog, /usr/lib/iscan/network, /usr/share/shorewall-lite(/.*)?, /usr/Printer(/.*)?, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/lib/news/bin(/.*)?, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/shar
e/system-config-netboot/pxeboot\.py, /etc/auto\.[^/]*, /usr/Brother/(.*/)?inf/brprintconf.*, /etc/apcupsd/masterconnect, /etc/avahi/.*\.action, /usr/lib/netsaint/plugins(/.*)?, /usr/share/authconfig/authconfig-tui\.py, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/lib/dracut(/.*)?, /usr/share/kde4/apps/kajongg/kajongg.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/selinux/devel/policygentool, /etc/mail/make, /usr/lib/debug/usr/libexec(/.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/libexec/openssh/sftp-server, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/chromium-browser(/.*)?, /etc/sysconfig/init, /usr/share/system-logviewer/system-logviewer\.py, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /usr/lib/wicd/monitor\.py, /etc/pki/tls/misc(/.*)?, /etc/cron.hourly(/.*)?, /etc/xen/qemu-ifup, /usr/share/system-config-services/serviceconf\.py, /usr/share/tucan.*/tucan.py, /usr/l
ib/portage/bin(/.*)?, /etc/lxdm/LoginReady, /etc/mcelog/triggers(/.*)?, /usr/share/texmf/web2c/mktexnam, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/apt/methods.+, /etc/rc\.d/init\.d/functions, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /etc/kde/shutdown(/.*)?, /usr/lib/cups(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /usr/share/gnucash/finance-quote-helper, /etc/cron.daily(/.*)?, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/lib/rpm/rpmv, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/munin/plugins(/.*)?, /usr/share/clamav/clamd-gen, /etc/lxdm/Post.*, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /etc/hotplug/.*agent, /usr/lib/emacsen-common/.*, /usr/lib/jvm/java(.*/)bin(/.*), /etc/sysconfig/network-scripts/ifup.*, /usr/lib/xfce4/xfconf/xfconfd, /usr/lib/MailScanner(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/share/ajaxterm/qweb.py.*, /usr/share/switchdesk/switchdesk-gui\.py, /usr/lib/ipsec/.*, /usr/share/turboprint/lib(/.*)?, /usr/sbin/mkfs\.cramfs, /var/qma
il/bin(/.*)?, /etc/sysconfig/crond, /usr/share/hplip/[^/]*, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/debconf/.+, /usr/share/shorewall/configpath, /usr/bin/pingus.*, /etc/hotplug/hotplug\.functions, /usr/lib/mailman.*/bin(/.*)?, /usr/share/texmf/web2c/mktexdir, /usr/share/gnucash/finance-quote-check, /etc/redhat-lsb(/.*)?, /usr/X11R6/lib/X11/xkb/xkbcomp, /etc/gdm/[^/]+, /opt/google/chrome(/.*)?, /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/dpkg/.+, /usr/share/sandbox/sandboxX.sh, /etc/cipe/ip-up.*, /usr/lib/udev/[^/]*, /usr/bin/mountpoint, /lib/udev/scsi_id, /bin/.*, /emul/ia32-linux/sbin(/.*)?, /var/lib/iscan/interpreter, /etc/dhcp/dhclient\.d(/.*)?, /etc/racoon/scripts(/.*)?, /opt/(.*/)?sbin(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/spamassassin/sa-update\.cron, /usr/share/rhn/rhn_applet/applet\.py, /etc/X11/xdm/TakeConsole, /usr/(.*/)?sbin(/.*)?, /etc/X11/xinit(/.*)?, /usr/share/shorewall/getparams, /usr/share/cluster/checkquorum, /etc/X11/xdm/GiveConsol
e, /usr/lib/xfce4/session/xfsm-shutdown-helper, /lib/upstart(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/gdm/[^/]+/.*, /usr/share/system-config-httpd/system-config-httpd, /usr/lib/upstart(/.*)?, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/system-config-users/system-config-users, /etc/mgetty\+sendfax/new_fax, /usr/lib/debug/bin(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /etc/hotplug/.*rc, /usr/lib/courier(/.*)?, /etc/X11/xdm/Xsetup_0, /etc/netplug\.d(/.*)?, /usr/Brother/(.*/)?inf/setup.*, /usr/lib/xfce4/session/balou-install-theme, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/smolt/client(/.*)?, /usr/bin, /etc/sysconfig/netconsole, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/xfce4/panel/migrate, /usr/share/ajaxterm/ajaxterm.py.*, /sbin/mkfs\.cramfs, /usr/share/authconfig/authconfig\.py, /usr/share/system-config-date/system-config-date\.py, /usr/share/virtualbox/.*\.sh, /etc/apcupsd/mastertimeout, /usr/lib/ruby/gems(/.*)?/helper-scr
ipts(/.*)?, /usr/share/texmf/texconfig/tcfmgr, /etc/kde/env(/.*)?, /usr/lib/rpm/rpmq, /sbin/insmod_ksymoops_clean, /usr/lib/xfce4/panel/wrapper, /usr/share/system-config-printer/applet\.py, /etc/hotplug\.d/default/default.*, /usr/lib(.*/)?bin(/.*)?, /usr/share/gitolite/hooks/common/update, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /usr/lib/sftp-server, /usr/share/system-config-display/system-config-display, /lib/udev/[^/]*, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/denyhosts/scripts(/.*)?, /usr/share/createrepo(/.*)?, /usr/lib/yaboot/addnote, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/share/cluster/SAPInstance
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible.
++.PP
++The following process types are defined for xdm:
+
+.EX
-+.B setsebool -P xdm_exec_bootloader 1
++.B xdm_t, xdm_dbusd_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. xdm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xdm with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xdm_dbusd_t, xdm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P xdm_sysadm_login 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the xdm_dbusd_t, xdm_t, you must turn on the kerberos_enabled boolean.
++If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P xdm_exec_bootloader 1
+.EE
+
+.SH FILE CONTEXTS
@@ -94359,27 +102233,9 @@ index 0000000..28ae2f9
+.EE
+udp 177
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xdm:
-+
-+.EX
-+.B xdm_t, xdm_dbusd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type xdm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type xdm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -94402,6 +102258,14 @@ index 0000000..28ae2f9
+.br
+ /home/[^/]*/\.google_authenticator~
+.br
++ /home/dwalsh/\.google_authenticator
++.br
++ /home/dwalsh/\.google_authenticator~
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator
++.br
++ /var/lib/xguest/home/xguest/\.google_authenticator~
++.br
+
+.br
+.B cgroup_t
@@ -94494,6 +102358,14 @@ index 0000000..28ae2f9
+.br
+ /home/[^/]*/\.gconf(d)?(/.*)?
+.br
++ /home/dwalsh/\.local.*
++.br
++ /home/dwalsh/\.gconf(d)?(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.local.*
++.br
++ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)?
++.br
+
+.br
+.B gnome_home_type
@@ -94626,6 +102498,10 @@ index 0000000..28ae2f9
+.br
+ /home/[^/]*/\.fonts(/.*)?
+.br
++ /home/dwalsh/\.fonts(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts(/.*)?
++.br
+
+.br
+.B user_tmp_t
@@ -94634,6 +102510,10 @@ index 0000000..28ae2f9
+.br
+ /tmp/gconfd-.*
+.br
++ /tmp/gconfd-dwalsh
++.br
++ /tmp/gconfd-xguest
++.br
+
+.br
+.B user_tmpfs_type
@@ -94694,6 +102574,22 @@ index 0000000..28ae2f9
+.br
+ /home/[^/]*/\.Xauthority.*
+.br
++ /home/dwalsh/\.xauth.*
++.br
++ /home/dwalsh/\.Xauth.*
++.br
++ /home/dwalsh/\.serverauth.*
++.br
++ /home/dwalsh/\.Xauthority.*
++.br
++ /var/lib/xguest/home/xguest/\.xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauth.*
++.br
++ /var/lib/xguest/home/xguest/\.serverauth.*
++.br
++ /var/lib/xguest/home/xguest/\.Xauthority.*
++.br
+
+.br
+.B xdm_home_t
@@ -94708,6 +102604,18 @@ index 0000000..28ae2f9
+.br
+ /home/[^/]*/\.xsession-errors.*
+.br
++ /home/dwalsh/\.dmrc.*
++.br
++ /home/dwalsh/\.cache/gdm(/.*)?
++.br
++ /home/dwalsh/\.xsession-errors.*
++.br
++ /var/lib/xguest/home/xguest/\.dmrc.*
++.br
++ /var/lib/xguest/home/xguest/\.cache/gdm(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.xsession-errors.*
++.br
+
+.br
+.B xdm_lock_t
@@ -94829,6 +102737,22 @@ index 0000000..28ae2f9
+.B xserver_tmpfs_t
+
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xdm_dbusd_t, xdm_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the xdm_dbusd_t, xdm_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -94858,19 +102782,46 @@ index 0000000..28ae2f9
\ No newline at end of file
diff --git a/man/man8/xenconsoled_selinux.8 b/man/man8/xenconsoled_selinux.8
new file mode 100644
-index 0000000..e29e011
+index 0000000..ab73dce
--- /dev/null
+++ b/man/man8/xenconsoled_selinux.8
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,124 @@
+.TH "xenconsoled_selinux" "8" "xenconsoled" "dwalsh at redhat.com" "xenconsoled SELinux Policy documentation"
+.SH "NAME"
+xenconsoled_selinux \- Security Enhanced Linux Policy for the xenconsoled processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the xenconsoled processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the xenconsoled processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The xenconsoled processes execute with the xenconsoled_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep xenconsoled_t
++
++
++.SH "ENTRYPOINTS"
++
++The xenconsoled_t SELinux type can be entered via the "xenconsoled_exec_t" file type. The default entrypoint paths for the xenconsoled_t domain are the following:"
++
++/usr/sbin/xenconsoled
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xenconsoled policy is very flexible allowing users to setup their xenconsoled processes in as secure a method as possible.
++.PP
++The following process types are defined for xenconsoled:
++
++.EX
++.B xenconsoled_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -94906,27 +102857,9 @@ index 0000000..e29e011
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xenconsoled policy is very flexible allowing users to setup their xenconsoled processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xenconsoled:
-+
-+.EX
-+.B xenconsoled_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type xenconsoled_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type xenconsoled_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B sysfs_t
@@ -94956,6 +102889,8 @@ index 0000000..e29e011
+.B xenfs_t
+
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -94977,17 +102912,46 @@ index 0000000..e29e011
+selinux(8), xenconsoled(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/xend_selinux.8 b/man/man8/xend_selinux.8
new file mode 100644
-index 0000000..cc7f6c6
+index 0000000..0d9e1e7
--- /dev/null
+++ b/man/man8/xend_selinux.8
-@@ -0,0 +1,308 @@
+@@ -0,0 +1,319 @@
+.TH "xend_selinux" "8" "xend" "dwalsh at redhat.com" "xend SELinux Policy documentation"
+.SH "NAME"
+xend_selinux \- Security Enhanced Linux Policy for the xend processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the xend processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the xend processes via flexible mandatory access control.
++
++The xend processes execute with the xend_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep xend_t
++
++
++.SH "ENTRYPOINTS"
++
++The xend_t SELinux type can be entered via the "xend_exec_t" file type. The default entrypoint paths for the xend_t domain are the following:"
++
++/usr/sbin/xend
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible.
++.PP
++The following process types are defined for xend:
++
++.EX
++.B xend_t, xenstored_t, xenconsoled_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. xend policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xend with the tightest access possible.
@@ -95014,8 +102978,6 @@ index 0000000..cc7f6c6
+.B setsebool -P xend_run_blktap 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -95109,27 +103071,9 @@ index 0000000..cc7f6c6
+Default Defined Ports:
+tcp 8002
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xend:
-+
-+.EX
-+.B xend_t, xenstored_t, xenconsoled_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type xend_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type xend_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B dhcp_etc_t
@@ -95263,6 +103207,8 @@ index 0000000..cc7f6c6
+ /var/run/xenstore\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -95292,19 +103238,46 @@ index 0000000..cc7f6c6
\ No newline at end of file
diff --git a/man/man8/xenstored_selinux.8 b/man/man8/xenstored_selinux.8
new file mode 100644
-index 0000000..bce5105
+index 0000000..df38140
--- /dev/null
+++ b/man/man8/xenstored_selinux.8
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,150 @@
+.TH "xenstored_selinux" "8" "xenstored" "dwalsh at redhat.com" "xenstored SELinux Policy documentation"
+.SH "NAME"
+xenstored_selinux \- Security Enhanced Linux Policy for the xenstored processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the xenstored processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the xenstored processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The xenstored processes execute with the xenstored_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep xenstored_t
++
++
++.SH "ENTRYPOINTS"
++
++The xenstored_t SELinux type can be entered via the "xenstored_exec_t" file type. The default entrypoint paths for the xenstored_t domain are the following:"
++
++/usr/sbin/xenstored
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xenstored policy is very flexible allowing users to setup their xenstored processes in as secure a method as possible.
++.PP
++The following process types are defined for xenstored:
++
++.EX
++.B xenstored_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -95368,27 +103341,9 @@ index 0000000..bce5105
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xenstored policy is very flexible allowing users to setup their xenstored processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xenstored:
-+
-+.EX
-+.B xenstored_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type xenstored_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type xenstored_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B xenfs_t
@@ -95416,6 +103371,8 @@ index 0000000..bce5105
+ /var/run/xenstore\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -95437,10 +103394,10 @@ index 0000000..bce5105
+selinux(8), xenstored(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/xguest_selinux.8 b/man/man8/xguest_selinux.8
new file mode 100644
-index 0000000..7ccd34a
+index 0000000..63ecb35
--- /dev/null
+++ b/man/man8/xguest_selinux.8
-@@ -0,0 +1,290 @@
+@@ -0,0 +1,322 @@
+.TH "xguest_selinux" "8" "xguest" "mgrepl at redhat.com" "xguest SELinux Policy documentation"
+.SH "NAME"
+xguest_u \- \fBLeast privledge xwindows user role\fP - Security Enhanced Linux Policy
@@ -95495,12 +103452,26 @@ index 0000000..7ccd34a
+
+.B dns_port_t: 53
+
-+.B kerberos_port_t: 88,750,4444
++.B http_cache_port_t: 8080,8118,10001-10010
++
++.B http_port_t: 80,81,443,488,8008,8009,8443
+
+.B ocsp_port_t: 9080
+
++.B squid_port_t: 3128,3401,4827
++
++.B ephemeral_port_t: 32768-61000
++
++.B kerberos_port_t: 88,750,4444
++
++.B pulseaudio_port_t: 4713
++
++.B flash_port_t: 843,1935
++
+.B soundd_port_t: 8000,9433,16001
+
++.B commplex_port_t: 5001
++
+.B ipp_port_t: 631,8610-8614
+
+.B transproxy_port_t: 8081
@@ -95511,29 +103482,31 @@ index 0000000..7ccd34a
+
+.B speech_port_t: 8036
+
++.TP
++The SELinux user xguest_u is able to connect to the following tcp ports.
++
++.B dns_port_t: 53
++
+.B http_cache_port_t: 8080,8118,10001-10010
+
+.B http_port_t: 80,81,443,488,8008,8009,8443
+
++.B ocsp_port_t: 9080
++
+.B squid_port_t: 3128,3401,4827
+
+.B ephemeral_port_t: 32768-61000
+
++.B kerberos_port_t: 88,750,4444
++
+.B pulseaudio_port_t: 4713
+
+.B flash_port_t: 843,1935
+
-+.TP
-+The SELinux user xguest_u is able to connect to the following tcp ports.
-+
-+.B dns_port_t: 53
-+
-+.B kerberos_port_t: 88,750,4444
-+
-+.B ocsp_port_t: 9080
-+
+.B soundd_port_t: 8000,9433,16001
+
++.B commplex_port_t: 5001
++
+.B ipp_port_t: 631,8610-8614
+
+.B transproxy_port_t: 8081
@@ -95544,18 +103517,6 @@ index 0000000..7ccd34a
+
+.B speech_port_t: 8036
+
-+.B http_cache_port_t: 8080,8118,10001-10010
-+
-+.B http_port_t: 80,81,443,488,8008,8009,8443
-+
-+.B squid_port_t: 3128,3401,4827
-+
-+.B ephemeral_port_t: 32768-61000
-+
-+.B pulseaudio_port_t: 4713
-+
-+.B flash_port_t: 843,1935
-+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. xguest policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xguest with the tightest access possible.
+
@@ -95610,7 +103571,7 @@ index 0000000..7ccd34a
+
+.SH "MANAGED FILES"
+
-+The SELinux user type xguest_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type xguest_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B anon_inodefs_t
@@ -95631,18 +103592,30 @@ index 0000000..7ccd34a
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.+)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)?
++.br
+
+.br
+.B httpd_user_htaccess_t
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess
++.br
+
+.br
+.B httpd_user_ra_content_t
+
+ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)?
++.br
+
+.br
+.B httpd_user_rw_content_t
@@ -95653,6 +103626,10 @@ index 0000000..7ccd34a
+
+ /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?
+.br
++ /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?
++.br
+
+.br
+.B noxattrfs
@@ -95679,6 +103656,18 @@ index 0000000..7ccd34a
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_home_type
@@ -95734,17 +103723,46 @@ index 0000000..7ccd34a
\ No newline at end of file
diff --git a/man/man8/xserver_selinux.8 b/man/man8/xserver_selinux.8
new file mode 100644
-index 0000000..92e14ca
+index 0000000..42bf792
--- /dev/null
+++ b/man/man8/xserver_selinux.8
-@@ -0,0 +1,375 @@
+@@ -0,0 +1,398 @@
+.TH "xserver_selinux" "8" "xserver" "dwalsh at redhat.com" "xserver SELinux Policy documentation"
+.SH "NAME"
+xserver_selinux \- Security Enhanced Linux Policy for the xserver processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the xserver processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the xserver processes via flexible mandatory access control.
++
++The xserver processes execute with the xserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep xserver_t
++
++
++.SH "ENTRYPOINTS"
++
++The xserver_t SELinux type can be entered via the "xserver_exec_t" file type. The default entrypoint paths for the xserver_t domain are the following:"
++
++/usr/bin/Xair, /usr/X11R6/bin/XFree86, /etc/init\.d/xfree86-common, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/bin/Xephyr, /usr/bin/Xorg, /usr/X11R6/bin/Xwrapper, /usr/X11R6/bin/X
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible.
++.PP
++The following process types are defined for xserver:
++
++.EX
++.B xserver_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. xserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xserver with the tightest access possible.
@@ -95778,22 +103796,6 @@ index 0000000..92e14ca
+.B setsebool -P xserver_clients_write_xshm 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the xserver_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -95887,27 +103889,9 @@ index 0000000..92e14ca
+Default Defined Ports:
+tcp 6000-6020
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for xserver:
-+
-+.EX
-+.B xserver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type xserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type xserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B bluetooth_helper_tmpfs_t
@@ -96000,6 +103984,18 @@ index 0000000..92e14ca
+.br
+ /home/[^/]*/\.fonts\.cache-.*
+.br
++ /home/dwalsh/\.fontconfig(/.*)?
++.br
++ /home/dwalsh/\.fonts/auto(/.*)?
++.br
++ /home/dwalsh/\.fonts\.cache-.*
++.br
++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)?
++.br
++ /var/lib/xguest/home/xguest/\.fonts\.cache-.*
++.br
+
+.br
+.B user_tmpfs_t
@@ -96087,6 +104083,22 @@ index 0000000..92e14ca
+ /var/run/video.rom
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the xserver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -96115,10 +104127,10 @@ index 0000000..92e14ca
+, setsebool(8)
\ No newline at end of file
diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8
-index 5061a5f..faf03e0 100644
+index 5061a5f..82509d2 100644
--- a/man/man8/ypbind_selinux.8
+++ b/man/man8/ypbind_selinux.8
-@@ -1,19 +1,129 @@
+@@ -1,19 +1,140 @@
-.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "ypbind Selinux Policy documentation"
+.TH "ypbind_selinux" "8" "ypbind" "dwalsh at redhat.com" "ypbind SELinux Policy documentation"
.SH "NAME"
@@ -96135,10 +104147,37 @@ index 5061a5f..faf03e0 100644
-setsebool -P allow_ypbind 1
-.TP
-system-config-selinux is a GUI tool available to customize SELinux policy settings.
-+Security-Enhanced Linux secures the ypbind processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ypbind processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ypbind processes execute with the ypbind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ypbind_t
++
++
++.SH "ENTRYPOINTS"
++
++The ypbind_t SELinux type can be entered via the "ypbind_exec_t" file type. The default entrypoint paths for the ypbind_t domain are the following:"
++
++/usr/sbin/ypbind, /sbin/ypbind
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ypbind policy is very flexible allowing users to setup their ypbind processes in as secure a method as possible.
++.PP
++The following process types are defined for ypbind:
++
++.EX
++.B ypbind_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -96202,27 +104241,9 @@ index 5061a5f..faf03e0 100644
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ypbind policy is very flexible allowing users to setup their ypbind processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ypbind:
-+
-+.EX
-+.B ypbind_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ypbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ypbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B var_yp_t
@@ -96240,6 +104261,8 @@ index 5061a5f..faf03e0 100644
+ /var/run/ypbind.*
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -96263,19 +104286,46 @@ index 5061a5f..faf03e0 100644
+selinux(8), ypbind(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/yppasswdd_selinux.8 b/man/man8/yppasswdd_selinux.8
new file mode 100644
-index 0000000..59d56f7
+index 0000000..b81a4bb
--- /dev/null
+++ b/man/man8/yppasswdd_selinux.8
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,134 @@
+.TH "yppasswdd_selinux" "8" "yppasswdd" "dwalsh at redhat.com" "yppasswdd SELinux Policy documentation"
+.SH "NAME"
+yppasswdd_selinux \- Security Enhanced Linux Policy for the yppasswdd processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the yppasswdd processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the yppasswdd processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The yppasswdd processes execute with the yppasswdd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep yppasswdd_t
++
++
++.SH "ENTRYPOINTS"
++
++The yppasswdd_t SELinux type can be entered via the "yppasswdd_exec_t" file type. The default entrypoint paths for the yppasswdd_t domain are the following:"
++
++/usr/sbin/rpc\.yppasswdd\.env, /usr/sbin/rpc\.yppasswdd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux yppasswdd policy is very flexible allowing users to setup their yppasswdd processes in as secure a method as possible.
++.PP
++The following process types are defined for yppasswdd:
++
++.EX
++.B yppasswdd_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -96315,27 +104365,9 @@ index 0000000..59d56f7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux yppasswdd policy is very flexible allowing users to setup their yppasswdd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for yppasswdd:
-+
-+.EX
-+.B yppasswdd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type yppasswdd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type yppasswdd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B shadow_t
@@ -96371,6 +104403,8 @@ index 0000000..59d56f7
+ /var/run/yppass.*
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -96392,19 +104426,46 @@ index 0000000..59d56f7
+selinux(8), yppasswdd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ypserv_selinux.8 b/man/man8/ypserv_selinux.8
new file mode 100644
-index 0000000..13199b9
+index 0000000..11f9cb1
--- /dev/null
+++ b/man/man8/ypserv_selinux.8
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,128 @@
+.TH "ypserv_selinux" "8" "ypserv" "dwalsh at redhat.com" "ypserv SELinux Policy documentation"
+.SH "NAME"
+ypserv_selinux \- Security Enhanced Linux Policy for the ypserv processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ypserv processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ypserv processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ypserv processes execute with the ypserv_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ypserv_t
++
++
++.SH "ENTRYPOINTS"
++
++The ypserv_t SELinux type can be entered via the "ypserv_exec_t" file type. The default entrypoint paths for the ypserv_t domain are the following:"
++
++/usr/sbin/ypserv
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ypserv policy is very flexible allowing users to setup their ypserv processes in as secure a method as possible.
++.PP
++The following process types are defined for ypserv:
++
++.EX
++.B ypserv_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -96456,27 +104517,9 @@ index 0000000..13199b9
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ypserv policy is very flexible allowing users to setup their ypserv processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ypserv:
-+
-+.EX
-+.B ypserv_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ypserv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ypserv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B var_yp_t
@@ -96494,6 +104537,8 @@ index 0000000..13199b9
+ /var/run/ypserv.*
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -96515,19 +104560,46 @@ index 0000000..13199b9
+selinux(8), ypserv(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ypxfr_selinux.8 b/man/man8/ypxfr_selinux.8
new file mode 100644
-index 0000000..7dfaeaf
+index 0000000..978de9d
--- /dev/null
+++ b/man/man8/ypxfr_selinux.8
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,112 @@
+.TH "ypxfr_selinux" "8" "ypxfr" "dwalsh at redhat.com" "ypxfr SELinux Policy documentation"
+.SH "NAME"
+ypxfr_selinux \- Security Enhanced Linux Policy for the ypxfr processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the ypxfr processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the ypxfr processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The ypxfr processes execute with the ypxfr_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep ypxfr_t
++
++
++.SH "ENTRYPOINTS"
++
++The ypxfr_t SELinux type can be entered via the "ypxfr_exec_t" file type. The default entrypoint paths for the ypxfr_t domain are the following:"
++
++/usr/lib/yp/ypxfr, /usr/sbin/rpc\.ypxfrd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux ypxfr policy is very flexible allowing users to setup their ypxfr processes in as secure a method as possible.
++.PP
++The following process types are defined for ypxfr:
++
++.EX
++.B ypxfr_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -96567,27 +104639,9 @@ index 0000000..7dfaeaf
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux ypxfr policy is very flexible allowing users to setup their ypxfr processes in as secure a method as possible.
-+.PP
-+The following process types are defined for ypxfr:
-+
-+.EX
-+.B ypxfr_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type ypxfr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type ypxfr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B var_yp_t
@@ -96601,6 +104655,8 @@ index 0000000..7dfaeaf
+ /var/run/ypxfrd.*
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -96622,19 +104678,46 @@ index 0000000..7dfaeaf
+selinux(8), ypxfr(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/zabbix_agent_selinux.8 b/man/man8/zabbix_agent_selinux.8
new file mode 100644
-index 0000000..613ce3e
+index 0000000..2bf4770
--- /dev/null
+++ b/man/man8/zabbix_agent_selinux.8
-@@ -0,0 +1,128 @@
+@@ -0,0 +1,139 @@
+.TH "zabbix_agent_selinux" "8" "zabbix_agent" "dwalsh at redhat.com" "zabbix_agent SELinux Policy documentation"
+.SH "NAME"
+zabbix_agent_selinux \- Security Enhanced Linux Policy for the zabbix_agent processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zabbix_agent processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the zabbix_agent processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The zabbix_agent processes execute with the zabbix_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zabbix_agent_t
++
++
++.SH "ENTRYPOINTS"
++
++The zabbix_agent_t SELinux type can be entered via the "zabbix_agent_exec_t" file type. The default entrypoint paths for the zabbix_agent_t domain are the following:"
++
++/usr/(s)?bin/zabbix_agentd
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zabbix_agent policy is very flexible allowing users to setup their zabbix_agent processes in as secure a method as possible.
++.PP
++The following process types are defined for zabbix_agent:
++
++.EX
++.B zabbix_agent_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -96693,27 +104776,9 @@ index 0000000..613ce3e
+Default Defined Ports:
+tcp 10050
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zabbix_agent policy is very flexible allowing users to setup their zabbix_agent processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zabbix_agent:
-+
-+.EX
-+.B zabbix_agent_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type zabbix_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type zabbix_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B zabbix_log_t
@@ -96731,6 +104796,8 @@ index 0000000..613ce3e
+ /var/run/zabbix(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -96753,54 +104820,67 @@ index 0000000..613ce3e
+
+.SH "SEE ALSO"
+selinux(8), zabbix_agent(8), semanage(8), restorecon(8), chcon(1)
-+, zabbix_selinux(8)
++, zabbix_selinux(8), zabbix_selinux(8)
\ No newline at end of file
diff --git a/man/man8/zabbix_selinux.8 b/man/man8/zabbix_selinux.8
new file mode 100644
-index 0000000..66338fc
+index 0000000..fe28380
--- /dev/null
+++ b/man/man8/zabbix_selinux.8
-@@ -0,0 +1,234 @@
+@@ -0,0 +1,245 @@
+.TH "zabbix_selinux" "8" "zabbix" "dwalsh at redhat.com" "zabbix SELinux Policy documentation"
+.SH "NAME"
+zabbix_selinux \- Security Enhanced Linux Policy for the zabbix processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zabbix processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the zabbix processes via flexible mandatory access control.
+
-+.SH BOOLEANS
-+SELinux policy is customizable based on least access required. zabbix policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zabbix with the tightest access possible.
++The zabbix processes execute with the zabbix_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
++For example:
+
-+.PP
-+If you want to allow zabbix to connect to unreserved ports, you must turn on the zabbix_can_network boolean.
++.B ps -eZ | grep zabbix_t
+
-+.EX
-+.B setsebool -P zabbix_can_network 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The zabbix_t SELinux type can be entered via the "zabbix_exec_t" file type. The default entrypoint paths for the zabbix_t domain are the following:"
++
++/usr/sbin/zabbix_server_pgsql, /usr/sbin/zabbix_server_sqlite3, /usr/sbin/zabbix_server_mysql, /usr/(s)?bin/zabbix_server
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible.
++.PP
++The following process types are defined for zabbix:
+
+.EX
-+.B setsebool -P httpd_can_connect_zabbix 1
++.B zabbix_agent_t, zabbix_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. zabbix policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zabbix with the tightest access possible.
+
-+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zabbix_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow zabbix to connect to unreserved ports, you must turn on the zabbix_can_network boolean.
+
+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
++.B setsebool -P zabbix_can_network 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the zabbix_t, you must turn on the kerberos_enabled boolean.
++If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean.
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B setsebool -P httpd_can_connect_zabbix 1
+.EE
+
+.SH FILE CONTEXTS
@@ -96927,27 +105007,9 @@ index 0000000..66338fc
+Default Defined Ports:
+tcp 10051
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zabbix:
-+
-+.EX
-+.B zabbix_agent_t, zabbix_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type zabbix_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type zabbix_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B zabbix_log_t
@@ -96969,6 +105031,22 @@ index 0000000..66338fc
+ /var/run/zabbix(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zabbix_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zabbix_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -96998,33 +105076,46 @@ index 0000000..66338fc
\ No newline at end of file
diff --git a/man/man8/zarafa_deliver_selinux.8 b/man/man8/zarafa_deliver_selinux.8
new file mode 100644
-index 0000000..9d116b7
+index 0000000..02984bb
--- /dev/null
+++ b/man/man8/zarafa_deliver_selinux.8
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,143 @@
+.TH "zarafa_deliver_selinux" "8" "zarafa_deliver" "dwalsh at redhat.com" "zarafa_deliver SELinux Policy documentation"
+.SH "NAME"
+zarafa_deliver_selinux \- Security Enhanced Linux Policy for the zarafa_deliver processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zarafa_deliver processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the zarafa_deliver processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The zarafa_deliver processes execute with the zarafa_deliver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep zarafa_deliver_t
++
++
++.SH "ENTRYPOINTS"
++
++The zarafa_deliver_t SELinux type can be entered via the "zarafa_deliver_exec_t" file type. The default entrypoint paths for the zarafa_deliver_t domain are the following:"
+
++/usr/bin/zarafa-dagent
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_deliver policy is very flexible allowing users to setup their zarafa_deliver processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_deliver:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B zarafa_deliver_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -97076,27 +105167,9 @@ index 0000000..9d116b7
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_deliver policy is very flexible allowing users to setup their zarafa_deliver processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_deliver:
-+
-+.EX
-+.B zarafa_deliver_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type zarafa_deliver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type zarafa_deliver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B zarafa_deliver_log_t
@@ -97114,6 +105187,22 @@ index 0000000..9d116b7
+ /var/run/zarafa-dagent\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -97133,35 +105222,50 @@ index 0000000..9d116b7
+
+.SH "SEE ALSO"
+selinux(8), zarafa_deliver(8), semanage(8), restorecon(8), chcon(1)
++, zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/zarafa_gateway_selinux.8 b/man/man8/zarafa_gateway_selinux.8
new file mode 100644
-index 0000000..cf2b4f4
+index 0000000..9f02f0d
--- /dev/null
+++ b/man/man8/zarafa_gateway_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,131 @@
+.TH "zarafa_gateway_selinux" "8" "zarafa_gateway" "dwalsh at redhat.com" "zarafa_gateway SELinux Policy documentation"
+.SH "NAME"
+zarafa_gateway_selinux \- Security Enhanced Linux Policy for the zarafa_gateway processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zarafa_gateway processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the zarafa_gateway processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The zarafa_gateway processes execute with the zarafa_gateway_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_gateway_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep zarafa_gateway_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The zarafa_gateway_t SELinux type can be entered via the "zarafa_gateway_exec_t" file type. The default entrypoint paths for the zarafa_gateway_t domain are the following:"
++
++/usr/bin/zarafa-gateway
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_gateway_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_gateway policy is very flexible allowing users to setup their zarafa_gateway processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_gateway:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B zarafa_gateway_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -97205,27 +105309,9 @@ index 0000000..cf2b4f4
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_gateway policy is very flexible allowing users to setup their zarafa_gateway processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_gateway:
-+
-+.EX
-+.B zarafa_gateway_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type zarafa_gateway_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type zarafa_gateway_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B zarafa_gateway_log_t
@@ -97239,6 +105325,22 @@ index 0000000..cf2b4f4
+ /var/run/zarafa-gateway\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_gateway_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_gateway_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -97258,35 +105360,50 @@ index 0000000..cf2b4f4
+
+.SH "SEE ALSO"
+selinux(8), zarafa_gateway(8), semanage(8), restorecon(8), chcon(1)
++, zarafa_deliver_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/zarafa_ical_selinux.8 b/man/man8/zarafa_ical_selinux.8
new file mode 100644
-index 0000000..b36c2e2
+index 0000000..dfaee0b
--- /dev/null
+++ b/man/man8/zarafa_ical_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,131 @@
+.TH "zarafa_ical_selinux" "8" "zarafa_ical" "dwalsh at redhat.com" "zarafa_ical SELinux Policy documentation"
+.SH "NAME"
+zarafa_ical_selinux \- Security Enhanced Linux Policy for the zarafa_ical processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zarafa_ical processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the zarafa_ical processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The zarafa_ical processes execute with the zarafa_ical_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_ical_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep zarafa_ical_t
++
++
++.SH "ENTRYPOINTS"
+
++The zarafa_ical_t SELinux type can be entered via the "zarafa_ical_exec_t" file type. The default entrypoint paths for the zarafa_ical_t domain are the following:"
++
++/usr/bin/zarafa-ical
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_ical_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_ical policy is very flexible allowing users to setup their zarafa_ical processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_ical:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B zarafa_ical_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -97330,27 +105447,9 @@ index 0000000..b36c2e2
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_ical policy is very flexible allowing users to setup their zarafa_ical processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_ical:
-+
-+.EX
-+.B zarafa_ical_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type zarafa_ical_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type zarafa_ical_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B zarafa_ical_log_t
@@ -97364,6 +105463,22 @@ index 0000000..b36c2e2
+ /var/run/zarafa-ical\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_ical_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_ical_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -97383,35 +105498,50 @@ index 0000000..b36c2e2
+
+.SH "SEE ALSO"
+selinux(8), zarafa_ical(8), semanage(8), restorecon(8), chcon(1)
++, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/zarafa_indexer_selinux.8 b/man/man8/zarafa_indexer_selinux.8
new file mode 100644
-index 0000000..b4ea945
+index 0000000..f8b62a7
--- /dev/null
+++ b/man/man8/zarafa_indexer_selinux.8
-@@ -0,0 +1,145 @@
+@@ -0,0 +1,157 @@
+.TH "zarafa_indexer_selinux" "8" "zarafa_indexer" "dwalsh at redhat.com" "zarafa_indexer SELinux Policy documentation"
+.SH "NAME"
+zarafa_indexer_selinux \- Security Enhanced Linux Policy for the zarafa_indexer processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zarafa_indexer processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the zarafa_indexer processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The zarafa_indexer processes execute with the zarafa_indexer_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep zarafa_indexer_t
++
++
++.SH "ENTRYPOINTS"
++
++The zarafa_indexer_t SELinux type can be entered via the "zarafa_indexer_exec_t" file type. The default entrypoint paths for the zarafa_indexer_t domain are the following:"
+
++/usr/bin/zarafa-indexer
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_indexer_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_indexer policy is very flexible allowing users to setup their zarafa_indexer processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_indexer:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B zarafa_indexer_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -97467,27 +105597,9 @@ index 0000000..b4ea945
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_indexer policy is very flexible allowing users to setup their zarafa_indexer processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_indexer:
-+
-+.EX
-+.B zarafa_indexer_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type zarafa_indexer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type zarafa_indexer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B zarafa_indexer_log_t
@@ -97515,6 +105627,22 @@ index 0000000..b4ea945
+ /var/lib/zarafa-webaccess(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_indexer_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -97534,35 +105662,50 @@ index 0000000..b4ea945
+
+.SH "SEE ALSO"
+selinux(8), zarafa_indexer(8), semanage(8), restorecon(8), chcon(1)
++, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/zarafa_monitor_selinux.8 b/man/man8/zarafa_monitor_selinux.8
new file mode 100644
-index 0000000..6f99918
+index 0000000..1cf00e8
--- /dev/null
+++ b/man/man8/zarafa_monitor_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,131 @@
+.TH "zarafa_monitor_selinux" "8" "zarafa_monitor" "dwalsh at redhat.com" "zarafa_monitor SELinux Policy documentation"
+.SH "NAME"
+zarafa_monitor_selinux \- Security Enhanced Linux Policy for the zarafa_monitor processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zarafa_monitor processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the zarafa_monitor processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The zarafa_monitor processes execute with the zarafa_monitor_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_monitor_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep zarafa_monitor_t
++
++
++.SH "ENTRYPOINTS"
+
++The zarafa_monitor_t SELinux type can be entered via the "zarafa_monitor_exec_t" file type. The default entrypoint paths for the zarafa_monitor_t domain are the following:"
++
++/usr/bin/zarafa-monitor
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_monitor_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_monitor policy is very flexible allowing users to setup their zarafa_monitor processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_monitor:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B zarafa_monitor_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -97606,27 +105749,9 @@ index 0000000..6f99918
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_monitor policy is very flexible allowing users to setup their zarafa_monitor processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_monitor:
-+
-+.EX
-+.B zarafa_monitor_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type zarafa_monitor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type zarafa_monitor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B zarafa_monitor_log_t
@@ -97640,6 +105765,22 @@ index 0000000..6f99918
+ /var/run/zarafa-monitor\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_monitor_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_monitor_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -97659,31 +105800,33 @@ index 0000000..6f99918
+
+.SH "SEE ALSO"
+selinux(8), zarafa_monitor(8), semanage(8), restorecon(8), chcon(1)
-diff --git a/man/man8/zarafa_server_selinux.8 b/man/man8/zarafa_server_selinux.8
++, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
+diff --git a/man/man8/zarafa_selinux.8 b/man/man8/zarafa_selinux.8
new file mode 100644
-index 0000000..259db27
+index 0000000..23c13e3
--- /dev/null
-+++ b/man/man8/zarafa_server_selinux.8
-@@ -0,0 +1,145 @@
-+.TH "zarafa_server_selinux" "8" "zarafa_server" "dwalsh at redhat.com" "zarafa_server SELinux Policy documentation"
++++ b/man/man8/zarafa_selinux.8
+@@ -0,0 +1,165 @@
++.TH "zarafa_selinux" "8" "zarafa" "dwalsh at redhat.com" "zarafa SELinux Policy documentation"
+.SH "NAME"
-+zarafa_server_selinux \- Security Enhanced Linux Policy for the zarafa_server processes
++zarafa_selinux \- Security Enhanced Linux Policy for the zarafa processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zarafa_server processes via flexible mandatory access
++Security-Enhanced Linux secures the zarafa processes via flexible mandatory access
+control.
+
+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_server_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
+.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_server_t, you must turn on the kerberos_enabled boolean.
++If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the kerberos_enabled boolean.
+
+.EX
+.B setsebool -P kerberos_enabled 1
@@ -97695,54 +105838,167 @@ index 0000000..259db27
+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
+.PP
+Policy governs the access confined processes have to these files.
-+SELinux zarafa_server policy is very flexible allowing users to setup their zarafa_server processes in as secure a method as possible.
++SELinux zarafa policy is very flexible allowing users to setup their zarafa processes in as secure a method as possible.
+.PP
-+The following file types are defined for zarafa_server:
++The following file types are defined for zarafa:
+
+
+.EX
+.PP
-+.B zarafa_server_exec_t
++.B zarafa_deliver_exec_t
+.EE
+
-+- Set files with the zarafa_server_exec_t type, if you want to transition an executable to the zarafa_server_t domain.
++- Set files with the zarafa_deliver_exec_t type, if you want to transition an executable to the zarafa_deliver_t domain.
+
+
+.EX
+.PP
-+.B zarafa_server_log_t
++.B zarafa_deliver_log_t
+.EE
+
-+- Set files with the zarafa_server_log_t type, if you want to treat the data as zarafa server log data, usually stored under the /var/log directory.
++- Set files with the zarafa_deliver_log_t type, if you want to treat the data as zarafa deliver log data, usually stored under the /var/log directory.
+
+
+.EX
+.PP
-+.B zarafa_server_tmp_t
++.B zarafa_deliver_tmp_t
+.EE
+
-+- Set files with the zarafa_server_tmp_t type, if you want to store zarafa server temporary files in the /tmp directories.
++- Set files with the zarafa_deliver_tmp_t type, if you want to store zarafa deliver temporary files in the /tmp directories.
+
+
+.EX
+.PP
-+.B zarafa_server_var_run_t
++.B zarafa_deliver_var_run_t
+.EE
+
-+- Set files with the zarafa_server_var_run_t type, if you want to store the zarafa server files under the /run directory.
++- Set files with the zarafa_deliver_var_run_t type, if you want to store the zarafa deliver files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_etc_t
++.EE
++
++- Set files with the zarafa_etc_t type, if you want to store zarafa files in the /etc directories.
++
++
++.EX
++.PP
++.B zarafa_gateway_exec_t
++.EE
++
++- Set files with the zarafa_gateway_exec_t type, if you want to transition an executable to the zarafa_gateway_t domain.
++
++
++.EX
++.PP
++.B zarafa_gateway_log_t
++.EE
++
++- Set files with the zarafa_gateway_log_t type, if you want to treat the data as zarafa gateway log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_gateway_var_run_t
++.EE
++
++- Set files with the zarafa_gateway_var_run_t type, if you want to store the zarafa gateway files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_ical_exec_t
++.EE
++
++- Set files with the zarafa_ical_exec_t type, if you want to transition an executable to the zarafa_ical_t domain.
++
++
++.EX
++.PP
++.B zarafa_ical_log_t
++.EE
++
++- Set files with the zarafa_ical_log_t type, if you want to treat the data as zarafa ical log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_ical_var_run_t
++.EE
++
++- Set files with the zarafa_ical_var_run_t type, if you want to store the zarafa ical files under the /run directory.
++
++
++.EX
++.PP
++.B zarafa_indexer_exec_t
++.EE
++
++- Set files with the zarafa_indexer_exec_t type, if you want to transition an executable to the zarafa_indexer_t domain.
++
++
++.EX
++.PP
++.B zarafa_indexer_log_t
++.EE
++
++- Set files with the zarafa_indexer_log_t type, if you want to treat the data as zarafa indexer log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_indexer_tmp_t
++.EE
++
++- Set files with the zarafa_indexer_tmp_t type, if you want to store zarafa indexer temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zarafa_indexer_var_run_t
++.EE
++
++- Set files with the zarafa_indexer_var_run_t type, if you want to store the zarafa indexer files under the /run directory.
+
+.br
+.TP 5
+Paths:
-+/var/run/zarafa, /var/run/zarafa-server\.pid
++/var/run/zarafa-indexer\.pid, /var/run/zarafa-indexer
+
++.EX
+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
++.B zarafa_monitor_exec_t
++.EE
++
++- Set files with the zarafa_monitor_exec_t type, if you want to transition an execut
+\ No newline at end of file
+diff --git a/man/man8/zarafa_server_selinux.8 b/man/man8/zarafa_server_selinux.8
+new file mode 100644
+index 0000000..56362e1
+--- /dev/null
++++ b/man/man8/zarafa_server_selinux.8
+@@ -0,0 +1,157 @@
++.TH "zarafa_server_selinux" "8" "zarafa_server" "dwalsh at redhat.com" "zarafa_server SELinux Policy documentation"
++.SH "NAME"
++zarafa_server_selinux \- Security Enhanced Linux Policy for the zarafa_server processes
++.SH "DESCRIPTION"
++
++Security-Enhanced Linux secures the zarafa_server processes via flexible mandatory access control.
++
++The zarafa_server processes execute with the zarafa_server_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zarafa_server_t
+
++
++.SH "ENTRYPOINTS"
++
++The zarafa_server_t SELinux type can be entered via the "zarafa_server_exec_t" file type. The default entrypoint paths for the zarafa_server_t domain are the following:"
++
++/usr/bin/zarafa-server
+.SH PROCESS TYPES
+SELinux defines process types (domains) for each process running on the system
+.PP
@@ -97761,9 +106017,63 @@ index 0000000..259db27
+.B semanage permissive -a PROCESS_TYPE
+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux zarafa_server policy is very flexible allowing users to setup their zarafa_server processes in as secure a method as possible.
++.PP
++The following file types are defined for zarafa_server:
++
++
++.EX
++.PP
++.B zarafa_server_exec_t
++.EE
++
++- Set files with the zarafa_server_exec_t type, if you want to transition an executable to the zarafa_server_t domain.
++
++
++.EX
++.PP
++.B zarafa_server_log_t
++.EE
++
++- Set files with the zarafa_server_log_t type, if you want to treat the data as zarafa server log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B zarafa_server_tmp_t
++.EE
++
++- Set files with the zarafa_server_tmp_t type, if you want to store zarafa server temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B zarafa_server_var_run_t
++.EE
++
++- Set files with the zarafa_server_var_run_t type, if you want to store the zarafa server files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/zarafa, /var/run/zarafa-server\.pid
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
+.SH "MANAGED FILES"
+
-+The SELinux user type zarafa_server_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type zarafa_server_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B zarafa_server_log_t
@@ -97791,6 +106101,22 @@ index 0000000..259db27
+ /var/lib/zarafa-webaccess(/.*)?
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_server_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_server_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -97810,35 +106136,50 @@ index 0000000..259db27
+
+.SH "SEE ALSO"
+selinux(8), zarafa_server(8), semanage(8), restorecon(8), chcon(1)
++, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_spooler_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/zarafa_spooler_selinux.8 b/man/man8/zarafa_spooler_selinux.8
new file mode 100644
-index 0000000..6c02d27
+index 0000000..ca48227
--- /dev/null
+++ b/man/man8/zarafa_spooler_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,131 @@
+.TH "zarafa_spooler_selinux" "8" "zarafa_spooler" "dwalsh at redhat.com" "zarafa_spooler SELinux Policy documentation"
+.SH "NAME"
+zarafa_spooler_selinux \- Security Enhanced Linux Policy for the zarafa_spooler processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zarafa_spooler processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the zarafa_spooler processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The zarafa_spooler processes execute with the zarafa_spooler_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_spooler_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep zarafa_spooler_t
++
++
++.SH "ENTRYPOINTS"
+
++The zarafa_spooler_t SELinux type can be entered via the "zarafa_spooler_exec_t" file type. The default entrypoint paths for the zarafa_spooler_t domain are the following:"
++
++/usr/bin/zarafa-spooler
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the zarafa_spooler_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zarafa_spooler policy is very flexible allowing users to setup their zarafa_spooler processes in as secure a method as possible.
++.PP
++The following process types are defined for zarafa_spooler:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B zarafa_spooler_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -97882,27 +106223,9 @@ index 0000000..6c02d27
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zarafa_spooler policy is very flexible allowing users to setup their zarafa_spooler processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zarafa_spooler:
-+
-+.EX
-+.B zarafa_spooler_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type zarafa_spooler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type zarafa_spooler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B zarafa_spooler_log_t
@@ -97916,6 +106239,22 @@ index 0000000..6c02d27
+ /var/run/zarafa-spooler\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_spooler_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zarafa_spooler_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -97935,19 +106274,50 @@ index 0000000..6c02d27
+
+.SH "SEE ALSO"
+selinux(8), zarafa_spooler(8), semanage(8), restorecon(8), chcon(1)
++, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8)
+\ No newline at end of file
diff --git a/man/man8/zebra_selinux.8 b/man/man8/zebra_selinux.8
new file mode 100644
-index 0000000..f05220d
+index 0000000..83bafcb
--- /dev/null
+++ b/man/man8/zebra_selinux.8
-@@ -0,0 +1,198 @@
+@@ -0,0 +1,209 @@
+.TH "zebra_selinux" "8" "zebra" "dwalsh at redhat.com" "zebra SELinux Policy documentation"
+.SH "NAME"
+zebra_selinux \- Security Enhanced Linux Policy for the zebra processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zebra processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the zebra processes via flexible mandatory access control.
++
++The zebra processes execute with the zebra_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
++
++For example:
++
++.B ps -eZ | grep zebra_t
++
++
++.SH "ENTRYPOINTS"
++
++The zebra_t SELinux type can be entered via the "zebra_exec_t" file type. The default entrypoint paths for the zebra_t domain are the following:"
++
++/usr/sbin/zebra, /usr/sbin/rip.*, /usr/sbin/bgpd, /usr/sbin/ospf.*
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible.
++.PP
++The following process types are defined for zebra:
++
++.EX
++.B zebra_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. zebra policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zebra with the tightest access possible.
@@ -97960,8 +106330,6 @@ index 0000000..f05220d
+.B setsebool -P zebra_write_config 1
+.EE
+
-+.SH NSSWITCH DOMAIN
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -98073,27 +106441,9 @@ index 0000000..f05220d
+.EE
+udp 2600-2604,2606
+.EE
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zebra:
-+
-+.EX
-+.B zebra_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type zebra_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type zebra_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B zebra_log_t
@@ -98113,6 +106463,8 @@ index 0000000..f05220d
+ /var/run/\.zserv
+.br
+
++.SH NSSWITCH DOMAIN
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -98142,33 +106494,46 @@ index 0000000..f05220d
\ No newline at end of file
diff --git a/man/man8/zoneminder_selinux.8 b/man/man8/zoneminder_selinux.8
new file mode 100644
-index 0000000..1c49e32
+index 0000000..ad7bea0
--- /dev/null
+++ b/man/man8/zoneminder_selinux.8
-@@ -0,0 +1,213 @@
+@@ -0,0 +1,224 @@
+.TH "zoneminder_selinux" "8" "zoneminder" "dwalsh at redhat.com" "zoneminder SELinux Policy documentation"
+.SH "NAME"
+zoneminder_selinux \- Security Enhanced Linux Policy for the zoneminder processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zoneminder processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the zoneminder processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The zoneminder processes execute with the zoneminder_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zoneminder_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
++.B ps -eZ | grep zoneminder_t
++
++
++.SH "ENTRYPOINTS"
+
++The zoneminder_t SELinux type can be entered via the "zoneminder_exec_t" file type. The default entrypoint paths for the zoneminder_t domain are the following:"
++
++/usr/bin/zmpkg.pl, /usr/bin/motion
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the zoneminder_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zoneminder policy is very flexible allowing users to setup their zoneminder processes in as secure a method as possible.
++.PP
++The following process types are defined for zoneminder:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B zoneminder_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
@@ -98286,27 +106651,9 @@ index 0000000..1c49e32
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zoneminder policy is very flexible allowing users to setup their zoneminder processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zoneminder:
-+
-+.EX
-+.B zoneminder_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
+.SH "MANAGED FILES"
+
-+The SELinux user type zoneminder_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux process type zoneminder_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
+.B zoneminder_log_t
@@ -98340,6 +106687,22 @@ index 0000000..1c49e32
+ /var/run/motion\.pid
+.br
+
++.SH NSSWITCH DOMAIN
++
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zoneminder_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the zoneminder_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -98361,33 +106724,46 @@ index 0000000..1c49e32
+selinux(8), zoneminder(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/zos_remote_selinux.8 b/man/man8/zos_remote_selinux.8
new file mode 100644
-index 0000000..d842792
+index 0000000..c23c4a6
--- /dev/null
+++ b/man/man8/zos_remote_selinux.8
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,106 @@
+.TH "zos_remote_selinux" "8" "zos_remote" "dwalsh at redhat.com" "zos_remote SELinux Policy documentation"
+.SH "NAME"
+zos_remote_selinux \- Security Enhanced Linux Policy for the zos_remote processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the zos_remote processes via flexible mandatory access
-+control.
++Security-Enhanced Linux secures the zos_remote processes via flexible mandatory access control.
+
-+.SH NSSWITCH DOMAIN
++The zos_remote processes execute with the zos_remote_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier.
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zos_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++For example:
++
++.B ps -eZ | grep zos_remote_t
+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
+
++.SH "ENTRYPOINTS"
++
++The zos_remote_t SELinux type can be entered via the "zos_remote_exec_t" file type. The default entrypoint paths for the zos_remote_t domain are the following:"
++
++/sbin/audispd-zos-remote, /usr/sbin/audispd-zos-remote
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
+.PP
-+If you want to allow confined applications to run with kerberos for the zos_remote_t, you must turn on the kerberos_enabled boolean.
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux zos_remote policy is very flexible allowing users to setup their zos_remote processes in as secure a method as possible.
++.PP
++The following process types are defined for zos_remote:
+
+.EX
-+.B setsebool -P kerberos_enabled 1
++.B zos_remote_t
+.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
@@ -98419,27 +106795,25 @@ index 0000000..d842792
+.B restorecon
+to apply the labels.
+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.SH "MANAGED FILES"
++
++The SELinux process type zos_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.SH NSSWITCH DOMAIN
++
+.PP
-+Policy governs the access confined processes have to files.
-+SELinux zos_remote policy is very flexible allowing users to setup their zos_remote processes in as secure a method as possible.
-+.PP
-+The following process types are defined for zos_remote:
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zos_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
-+.B zos_remote_t
++.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+
-+.SH "MANAGED FILES"
++.PP
++If you want to allow confined applications to run with kerberos for the zos_remote_t, you must turn on the kerberos_enabled boolean.
+
-+The SELinux user type zos_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -105313,7 +113687,7 @@ index cf04cb5..bfbf93f 100644
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 8796ca3..10f0231 100644
+index 8796ca3..8bcfe59 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -105508,7 +113882,7 @@ index 8796ca3..10f0231 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +243,17 @@ ifndef(`distro_redhat',`
+@@ -237,11 +243,20 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -105521,12 +113895,15 @@ index 8796ca3..10f0231 100644
+/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
++/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
++
/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
-@@ -264,3 +276,5 @@ ifndef(`distro_redhat',`
+@@ -264,3 +279,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -113788,10 +122165,10 @@ index 4318f73..e4d0b31 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..f363a79 100644
+index 078bcd7..84ad865 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
-@@ -1,9 +1,21 @@
+@@ -1,9 +1,22 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
@@ -113800,6 +122177,7 @@ index 078bcd7..f363a79 100644
+/var/lib/gitolite3/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
@@ -113813,7 +122191,7 @@ index 078bcd7..f363a79 100644
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
-@@ -14,3 +26,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+@@ -14,3 +27,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
@@ -116414,7 +124792,7 @@ index 130ced9..af3532c 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..0a71fa1 100644
+index d40f750..d75a97c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -116741,7 +125119,7 @@ index d40f750..0a71fa1 100644
')
optional_policy(`
-@@ -299,64 +399,105 @@ optional_policy(`
+@@ -299,64 +399,108 @@ optional_policy(`
# XDM Local policy
#
@@ -116750,6 +125128,9 @@ index d40f750..0a71fa1 100644
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
+allow xdm_t self:capability2 { block_suspend };
+dontaudit xdm_t self:capability sys_admin;
++tunable_policy(`deny_ptrace',`',`
++ allow xdm_t self:process ptrace;
++')
+
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
allow xdm_t self:fifo_file rw_fifo_file_perms;
@@ -116857,7 +125238,7 @@ index d40f750..0a71fa1 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +506,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +509,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -116887,7 +125268,7 @@ index d40f750..0a71fa1 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +536,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +539,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -116940,7 +125321,7 @@ index d40f750..0a71fa1 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +588,25 @@ files_list_mnt(xdm_t)
+@@ -430,9 +591,25 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -116966,7 +125347,7 @@ index d40f750..0a71fa1 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +615,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +618,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -116992,6 +125373,8 @@ index d40f750..0a71fa1 100644
init_telinit(xdm_t)
+init_dbus_chat(xdm_t)
+init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
++
++systemd_write_inhibit_pipes(xdm_t)
libs_exec_lib_files(xdm_t)
@@ -117000,15 +125383,16 @@ index d40f750..0a71fa1 100644
-miscfiles_read_localization(xdm_t)
+miscfiles_search_man_pages(xdm_t)
miscfiles_read_fonts(xdm_t)
--
--sysnet_read_config(xdm_t)
+miscfiles_manage_fonts_cache(xdm_t)
+miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
+-sysnet_read_config(xdm_t)
++systemd_write_inhibit_pipes(xdm_t)
+
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +654,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +661,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -117058,7 +125442,7 @@ index d40f750..0a71fa1 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +704,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +711,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -117080,7 +125464,7 @@ index d40f750..0a71fa1 100644
')
optional_policy(`
-@@ -514,12 +726,64 @@ optional_policy(`
+@@ -514,12 +733,64 @@ optional_policy(`
')
optional_policy(`
@@ -117145,7 +125529,7 @@ index d40f750..0a71fa1 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +801,74 @@ optional_policy(`
+@@ -537,28 +808,74 @@ optional_policy(`
')
optional_policy(`
@@ -117229,7 +125613,7 @@ index d40f750..0a71fa1 100644
')
optional_policy(`
-@@ -570,6 +880,14 @@ optional_policy(`
+@@ -570,6 +887,14 @@ optional_policy(`
')
optional_policy(`
@@ -117244,7 +125628,7 @@ index d40f750..0a71fa1 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +912,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +919,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -117257,7 +125641,7 @@ index d40f750..0a71fa1 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +929,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +936,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -117273,7 +125657,7 @@ index d40f750..0a71fa1 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +956,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +963,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -117295,7 +125679,7 @@ index d40f750..0a71fa1 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +976,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +983,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -117309,7 +125693,7 @@ index d40f750..0a71fa1 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1002,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1009,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -117341,7 +125725,7 @@ index d40f750..0a71fa1 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1034,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1041,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -117355,7 +125739,7 @@ index d40f750..0a71fa1 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1053,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1060,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -117379,7 +125763,7 @@ index d40f750..0a71fa1 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1118,40 @@ optional_policy(`
+@@ -775,16 +1125,40 @@ optional_policy(`
')
optional_policy(`
@@ -117421,7 +125805,7 @@ index d40f750..0a71fa1 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1160,10 @@ optional_policy(`
+@@ -793,6 +1167,10 @@ optional_policy(`
')
optional_policy(`
@@ -117432,7 +125816,7 @@ index d40f750..0a71fa1 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1179,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1186,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -117446,7 +125830,7 @@ index d40f750..0a71fa1 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1190,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1197,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -117455,7 +125839,7 @@ index d40f750..0a71fa1 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1203,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1210,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -117490,7 +125874,7 @@ index d40f750..0a71fa1 100644
')
optional_policy(`
-@@ -859,6 +1225,10 @@ optional_policy(`
+@@ -859,6 +1232,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -117501,7 +125885,7 @@ index d40f750..0a71fa1 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1272,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1279,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -117510,7 +125894,7 @@ index d40f750..0a71fa1 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1326,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1333,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -117542,7 +125926,7 @@ index d40f750..0a71fa1 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1372,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1379,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -124376,7 +132760,7 @@ index f8eeecd..65b0010 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index fe3427d..242ed4e 100644
+index fe3427d..b7d45f7 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',`
@@ -124402,8 +132786,16 @@ index fe3427d..242ed4e 100644
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+@@ -75,7 +71,6 @@ ifdef(`distro_redhat',`
+
+ /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
+ /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+-/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+ /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..d9ccfad 100644
+index 926ba65..2017de8 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -470,7 +470,6 @@ interface(`miscfiles_legacy_read_localization',`
@@ -124414,7 +132806,18 @@ index 926ba65..d9ccfad 100644
allow $1 locale_t:file execute;
')
-@@ -582,6 +581,26 @@ interface(`miscfiles_manage_man_pages',`
+@@ -531,6 +530,10 @@ interface(`miscfiles_read_man_pages',`
+ allow $1 man_t:dir list_dir_perms;
+ read_files_pattern($1, man_t, man_t)
+ read_lnk_files_pattern($1, man_t, man_t)
++
++ optional_policy(`
++ mandb_read_cache_files($1)
++ ')
+ ')
+
+ ########################################
+@@ -582,6 +585,30 @@ interface(`miscfiles_manage_man_pages',`
########################################
## <summary>
@@ -124434,6 +132837,10 @@ index 926ba65..d9ccfad 100644
+ files_search_usr($1)
+ relabel_dirs_pattern($1, man_t, man_t)
+ relabel_files_pattern($1, man_t, man_t)
++
++ optional_policy(`
++ mandb_relabel_cache($1)
++ ')
+')
+
+########################################
@@ -124441,7 +132848,7 @@ index 926ba65..d9ccfad 100644
## Read public files used for file
## transfer services.
## </summary>
-@@ -745,7 +764,6 @@ interface(`miscfiles_etc_filetrans_localization',`
+@@ -745,7 +772,6 @@ interface(`miscfiles_etc_filetrans_localization',`
')
files_etc_filetrans($1, locale_t, file)
@@ -124449,7 +132856,7 @@ index 926ba65..d9ccfad 100644
')
########################################
-@@ -769,3 +787,43 @@ interface(`miscfiles_manage_localization',`
+@@ -769,3 +795,43 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -127802,10 +136209,10 @@ index 0000000..44a9dca
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..693ded2
+index 0000000..0d6acca
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,850 @@
+@@ -0,0 +1,887 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -128465,6 +136872,24 @@ index 0000000..693ded2
+ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+')
+
++########################################
++## <summary>
++## Allow the specified domain to start all systemd services.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_start_all_services',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ allow $1 systemd_unit_file_type:service start;
++')
++
+
+########################################
+## <summary>
@@ -128486,7 +136911,6 @@ index 0000000..693ded2
+ init_config_all_script_files($1)
+')
+
-+
+########################################
+## <summary>
+## Transition to systemd named content
@@ -128656,6 +137080,26 @@ index 0000000..693ded2
+ systemd_exec_systemctl($1)
+ allow $1 power_unit_file_t:service start;
+')
++
++#######################################
++## <summary>
++## Start power unit files domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`systemd_start_all_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 systemd_unit_file_type:service start;
++')
++
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..05da975
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index b9ac6dd..bfbd0d0 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -808,7 +808,7 @@ index 1adca53..18e0e41 100644
/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
diff --git a/accountsd.if b/accountsd.if
-index c0f858d..d75aae9 100644
+index c0f858d..c256428 100644
--- a/accountsd.if
+++ b/accountsd.if
@@ -5,9 +5,9 @@
@@ -885,7 +885,7 @@ index c0f858d..d75aae9 100644
ps_process_pattern($1, accountsd_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 acountsd_t:process ptrace;
++ allow $1 accountsd_t:process ptrace;
+ ')
+
accountsd_manage_lib_files($1)
@@ -1258,10 +1258,18 @@ index 838d25b..33981e0 100644
admin_pattern($1, aide_db_t)
diff --git a/aide.te b/aide.te
-index 2509dd2..7ada82f 100644
+index 2509dd2..88d5615 100644
--- a/aide.te
+++ b/aide.te
-@@ -32,6 +32,13 @@ manage_files_pattern(aide_t, aide_log_t, aide_log_t)
+@@ -8,6 +8,7 @@ policy_module(aide, 1.6.0)
+ type aide_t;
+ type aide_exec_t;
+ application_domain(aide_t, aide_exec_t)
++cron_system_entry(aide_t, aide_exec_t)
+
+ # log files
+ type aide_log_t;
+@@ -32,6 +33,13 @@ manage_files_pattern(aide_t, aide_log_t, aide_log_t)
logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
@@ -1275,7 +1283,7 @@ index 2509dd2..7ada82f 100644
logging_send_audit_msgs(aide_t)
# AIDE can be configured to log to syslog
-@@ -39,4 +46,4 @@ logging_send_syslog_msg(aide_t)
+@@ -39,4 +47,4 @@ logging_send_syslog_msg(aide_t)
seutil_use_newrole_fds(aide_t)
@@ -1987,7 +1995,7 @@ index e81bdbd..e3a396b 100644
- usermanage_domtrans_admin_passwd(anaconda_t)
-')
diff --git a/apache.fc b/apache.fc
-index fd9fa07..f53ba23 100644
+index fd9fa07..50e40f7 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,39 +1,57 @@
@@ -2081,7 +2089,7 @@ index fd9fa07..f53ba23 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,31 +95,45 @@ ifdef(`distro_suse', `
+@@ -73,31 +95,46 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2096,6 +2104,7 @@ index fd9fa07..f53ba23 100644
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
++/var/lib/openshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2131,7 +2140,7 @@ index fd9fa07..f53ba23 100644
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +145,25 @@ ifdef(`distro_debian', `
+@@ -109,3 +146,25 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -5768,7 +5777,7 @@ index dc687e6..e0255eb 100644
# /usr
#
diff --git a/bluetooth.if b/bluetooth.if
-index 3e45431..540f783 100644
+index 3e45431..e1eee58 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -27,7 +27,11 @@ interface(`bluetooth_role',`
@@ -5879,10 +5888,11 @@ index 3e45431..540f783 100644
gen_require(`
- type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
+- type bluetooth_conf_t, bluetooth_conf_rw_t;
+- type bluetooth_initrc_exec_t;
+ type bluetooth_t, bluetooth_lock_t;
+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
- type bluetooth_conf_t, bluetooth_conf_rw_t;
-- type bluetooth_initrc_exec_t;
++ type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_tmp_t;
+ type bluetooth_unit_file_t;
')
@@ -6010,7 +6020,7 @@ index 0000000..bda740a
+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
new file mode 100644
-index 0000000..9d891b7
+index 0000000..e8ada4b
--- /dev/null
+++ b/boinc.if
@@ -0,0 +1,188 @@
@@ -6181,7 +6191,7 @@ index 0000000..9d891b7
+ ps_process_pattern($1, boinc_t)
+
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 boic_t:process ptrace;
++ allow $1 boinc_t:process ptrace;
+ ')
+
+ boinc_initrc_domtrans($1)
@@ -7938,7 +7948,7 @@ index b6bb46c..9a2bf65 100644
+/var/log/cgrulesengd\.log.* -- gen_context(system_u:object_r:cgred_log_t,s0)
/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/cgroup.if b/cgroup.if
-index 33facaf..c624aaa 100644
+index 33facaf..11700ae 100644
--- a/cgroup.if
+++ b/cgroup.if
@@ -171,15 +171,27 @@ interface(`cgroup_admin',`
@@ -7951,7 +7961,7 @@ index 33facaf..c624aaa 100644
- allow $1 cgconfig_t:process { ptrace signal_perms };
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cglcear_t:process ptrace;
++ allow $1 cgclear_t:process ptrace;
+ ')
+
+ allow $1 cgconfig_t:process signal_perms;
@@ -7973,7 +7983,7 @@ index 33facaf..c624aaa 100644
admin_pattern($1, cgrules_etc_t)
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index 806191a..6b8ab32 100644
+index 806191a..9be883e 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -7987,17 +7997,20 @@ index 806191a..6b8ab32 100644
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
-@@ -42,6 +42,9 @@ files_config_file(cgconfig_etc_t)
+@@ -42,8 +42,12 @@ files_config_file(cgconfig_etc_t)
allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
+
-+
kernel_read_system_state(cgclear_t)
++auth_use_nsswitch(cgclear_t)
++
domain_setpriority_all_domains(cgclear_t)
-@@ -64,7 +67,6 @@ kernel_list_unlabeled(cgconfig_t)
+
+ fs_manage_cgroup_dirs(cgclear_t)
+@@ -64,7 +68,6 @@ kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t)
# /etc/nsswitch.conf, /etc/passwd
@@ -8005,7 +8018,7 @@ index 806191a..6b8ab32 100644
fs_manage_cgroup_dirs(cgconfig_t)
fs_manage_cgroup_files(cgconfig_t)
-@@ -72,12 +74,15 @@ fs_mount_cgroup(cgconfig_t)
+@@ -72,12 +75,15 @@ fs_mount_cgroup(cgconfig_t)
fs_mounton_cgroup(cgconfig_t)
fs_unmount_cgroup(cgconfig_t)
@@ -8022,7 +8035,7 @@ index 806191a..6b8ab32 100644
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-@@ -86,6 +91,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
+@@ -86,6 +92,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
allow cgred_t cgrules_etc_t:file read_file_perms;
@@ -8032,7 +8045,7 @@ index 806191a..6b8ab32 100644
# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
-@@ -100,10 +108,9 @@ files_getattr_all_files(cgred_t)
+@@ -100,10 +109,9 @@ files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
# /etc/group
@@ -9445,7 +9458,7 @@ index 0000000..d013099
+')
+
diff --git a/cmirrord.if b/cmirrord.if
-index f8463c0..126b293 100644
+index f8463c0..cc4d9ef 100644
--- a/cmirrord.if
+++ b/cmirrord.if
@@ -70,10 +70,11 @@ interface(`cmirrord_rw_shm',`
@@ -9470,7 +9483,7 @@ index f8463c0..126b293 100644
ps_process_pattern($1, cmirrord_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 cmorrord_t:process ptrace;
++ allow $1 cmirrord_t:process ptrace;
+ ')
+
cmirrord_initrc_domtrans($1)
@@ -12062,7 +12075,7 @@ index 47dfa07..1beadbd 100644
ifdef(`distro_gentoo',`
/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
diff --git a/courier.if b/courier.if
-index 9971337..476f1e2 100644
+index 9971337..4078c26 100644
--- a/courier.if
+++ b/courier.if
@@ -50,7 +50,6 @@ template(`courier_domain_template',`
@@ -12073,7 +12086,16 @@ index 9971337..476f1e2 100644
corenet_all_recvfrom_netlabel(courier_$1_t)
corenet_tcp_sendrecv_generic_if(courier_$1_t)
corenet_udp_sendrecv_generic_if(courier_$1_t)
-@@ -104,6 +103,25 @@ interface(`courier_domtrans_authdaemon',`
+@@ -90,7 +89,7 @@ template(`courier_domain_template',`
+ ## Execute the courier authentication daemon with
+ ## a domain transition.
+ ## </summary>
+-## <param name="prefix">
++## <param name="domain">
+ ## <summary>
+ ## Domain allowed to transition.
+ ## </summary>
+@@ -104,12 +103,31 @@ interface(`courier_domtrans_authdaemon',`
domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
')
@@ -12099,6 +12121,22 @@ index 9971337..476f1e2 100644
########################################
## <summary>
## Execute the courier POP3 and IMAP server with
+ ## a domain transition.
+ ## </summary>
+-## <param name="prefix">
++## <param name="domain">
+ ## <summary>
+ ## Domain allowed to transition.
+ ## </summary>
+@@ -127,7 +145,7 @@ interface(`courier_domtrans_pop',`
+ ## <summary>
+ ## Read courier config files
+ ## </summary>
+-## <param name="prefix">
++## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
@@ -138,6 +156,7 @@ interface(`courier_read_config',`
type courier_etc_t;
')
@@ -12107,6 +12145,15 @@ index 9971337..476f1e2 100644
read_files_pattern($1, courier_etc_t, courier_etc_t)
')
+@@ -146,7 +165,7 @@ interface(`courier_read_config',`
+ ## Create, read, write, and delete courier
+ ## spool directories.
+ ## </summary>
+-## <param name="prefix">
++## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
@@ -157,6 +176,7 @@ interface(`courier_manage_spool_dirs',`
type courier_spool_t;
')
@@ -12115,6 +12162,15 @@ index 9971337..476f1e2 100644
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')
+@@ -165,7 +185,7 @@ interface(`courier_manage_spool_dirs',`
+ ## Create, read, write, and delete courier
+ ## spool files.
+ ## </summary>
+-## <param name="prefix">
++## <param name="domains">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
@@ -176,6 +196,7 @@ interface(`courier_manage_spool_files',`
type courier_spool_t;
')
@@ -13712,10 +13768,10 @@ index 0000000..4f7d237
+
diff --git a/ctdbd.te b/ctdbd.te
new file mode 100644
-index 0000000..8b2fdba
+index 0000000..33656de
--- /dev/null
+++ b/ctdbd.te
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,114 @@
+policy_module(ctdbd, 1.0.0)
+
+########################################
@@ -13802,11 +13858,12 @@ index 0000000..8b2fdba
+files_read_etc_files(ctdbd_t)
+files_search_all_mountpoints(ctdbd_t)
+
++auth_use_nsswitch(ctdbd_t)
++
+logging_send_syslog_msg(ctdbd_t)
+
+miscfiles_read_public_files(ctdbd_t)
+
-+
+optional_policy(`
+ consoletype_exec(ctdbd_t)
+')
@@ -13877,7 +13934,7 @@ index 848bb92..e6ecaa5 100644
+
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 305ddf4..c960be7 100644
+index 305ddf4..236f5ba 100644
--- a/cups.if
+++ b/cups.if
@@ -9,6 +9,11 @@
@@ -13962,7 +14019,16 @@ index 305ddf4..c960be7 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -350,9 +384,43 @@ interface(`cups_admin',`
+@@ -341,18 +375,49 @@ interface(`cups_admin',`
+
+ admin_pattern($1, cupsd_lpd_var_run_t)
+
+- admin_pattern($1, cupsd_spool_t)
+- files_list_spool($1)
+-
+ admin_pattern($1, cupsd_tmp_t)
+ files_list_tmp($1)
+
admin_pattern($1, cupsd_var_run_t)
files_list_pids($1)
@@ -22539,10 +22605,10 @@ index 00a19e3..17006fc 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..3e6dac9 100644
+index f5afe78..189d973 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,44 +1,979 @@
+@@ -1,44 +1,984 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -22586,11 +22652,6 @@ index f5afe78..3e6dac9 100644
+## <summary>
+## The role template for the gnome-keyring-daemon.
+## </summary>
-+## <param name="user_domain">
-+## <summary>
-+## The user domain associated with the role.
-+## </summary>
-+## </param>
+## <param name="user_prefix">
+## <summary>
+## The user prefix.
@@ -22601,6 +22662,11 @@ index f5afe78..3e6dac9 100644
+## The user role.
+## </summary>
+## </param>
++## <param name="user_domain">
++## <summary>
++## The user domain associated with the role.
++## </summary>
++## </param>
+#
+interface(`gnome_role_gkeyringd',`
+ gen_require(`
@@ -22673,6 +22739,11 @@ index f5afe78..3e6dac9 100644
+## Domain allowed access.
+## </summary>
+## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
+#
+interface(`gnome_run_gkeyringd',`
+ gen_require(`
@@ -23540,7 +23611,7 @@ index f5afe78..3e6dac9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +981,91 @@ interface(`gnome_role',`
+@@ -46,37 +986,91 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -23643,7 +23714,7 @@ index f5afe78..3e6dac9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +1073,100 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +1078,100 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -23755,7 +23826,7 @@ index f5afe78..3e6dac9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1174,36 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1179,36 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -23796,7 +23867,7 @@ index f5afe78..3e6dac9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1211,274 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1216,274 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -24366,10 +24437,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/gnomeclock.te b/gnomeclock.te
-index 4fde46b..74a2212 100644
+index 4fde46b..3cece7c 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
-@@ -7,38 +7,76 @@ policy_module(gnomeclock, 1.0.0)
+@@ -7,38 +7,77 @@ policy_module(gnomeclock, 1.0.0)
type gnomeclock_t;
type gnomeclock_exec_t;
@@ -24383,7 +24454,7 @@ index 4fde46b..74a2212 100644
-allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
-allow gnomeclock_t self:process { getattr getsched };
-+allow gnomeclock_t self:capability { sys_nice sys_time };
++allow gnomeclock_t self:capability { sys_nice sys_time dac_override };
+allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
@@ -24438,6 +24509,7 @@ index 4fde46b..74a2212 100644
+
+optional_policy(`
+ gnome_manage_usr_config(gnomeclock_t)
++ gnome_read_home_config(gnomeclock_t)
+')
+
+optional_policy(`
@@ -25824,9 +25896,18 @@ index 10f25d3..ec4cd54 100644
optional_policy(`
diff --git a/inn.if b/inn.if
-index ebc9e0d..2c4b5da 100644
+index ebc9e0d..617f52f 100644
--- a/inn.if
+++ b/inn.if
+@@ -13,7 +13,7 @@
+ #
+ interface(`inn_exec',`
+ gen_require(`
+- type innd_t;
++ type innd_exec_t;
+ ')
+
+ can_exec($1, innd_exec_t)
@@ -93,6 +93,7 @@ interface(`inn_read_config',`
type innd_etc_t;
')
@@ -30237,7 +30318,7 @@ index 572b5db..1e55f43 100644
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.te b/logrotate.te
-index 7090dae..1f05a7e 100644
+index 7090dae..1f475e6 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
@@ -30299,13 +30380,14 @@ index 7090dae..1f05a7e 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -112,21 +114,18 @@ logging_send_audit_msgs(logrotate_t)
+@@ -112,21 +114,19 @@ logging_send_audit_msgs(logrotate_t)
# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
-miscfiles_read_localization(logrotate_t)
+systemd_exec_systemctl(logrotate_t)
+systemd_getattr_unit_files(logrotate_t)
++systemd_start_all_unit_files(logrotate_t)
+init_stream_connect(logrotate_t)
-seutil_dontaudit_read_config(logrotate_t)
@@ -30328,7 +30410,7 @@ index 7090dae..1f05a7e 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +137,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +138,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
@@ -30337,7 +30419,7 @@ index 7090dae..1f05a7e 100644
')
optional_policy(`
-@@ -154,6 +153,10 @@ optional_policy(`
+@@ -154,6 +154,10 @@ optional_policy(`
')
optional_policy(`
@@ -30348,7 +30430,7 @@ index 7090dae..1f05a7e 100644
asterisk_domtrans(logrotate_t)
')
-@@ -162,10 +165,20 @@ optional_policy(`
+@@ -162,10 +166,20 @@ optional_policy(`
')
optional_policy(`
@@ -30369,7 +30451,7 @@ index 7090dae..1f05a7e 100644
cups_domtrans(logrotate_t)
')
-@@ -178,6 +191,10 @@ optional_policy(`
+@@ -178,6 +192,10 @@ optional_policy(`
')
optional_policy(`
@@ -30380,7 +30462,7 @@ index 7090dae..1f05a7e 100644
icecast_signal(logrotate_t)
')
-@@ -194,15 +211,19 @@ optional_policy(`
+@@ -194,15 +212,19 @@ optional_policy(`
')
optional_policy(`
@@ -30401,7 +30483,7 @@ index 7090dae..1f05a7e 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +249,14 @@ optional_policy(`
+@@ -228,3 +250,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -31338,6 +31420,214 @@ index 0000000..c49849d
+domain_use_interactive_fds(httpd_man2html_script_t)
+
+files_read_etc_files(httpd_man2html_script_t)
+diff --git a/mandb.fc b/mandb.fc
+new file mode 100644
+index 0000000..75b9968
+--- /dev/null
++++ b/mandb.fc
+@@ -0,0 +1,3 @@
++/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
++
++/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
+diff --git a/mandb.if b/mandb.if
+new file mode 100644
+index 0000000..c61b812
+--- /dev/null
++++ b/mandb.if
+@@ -0,0 +1,152 @@
++
++## <summary>policy for mandb</summary>
++
++########################################
++## <summary>
++## Transition to mandb.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mandb_domtrans',`
++ gen_require(`
++ type mandb_t, mandb_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, mandb_exec_t, mandb_t)
++')
++
++########################################
++## <summary>
++## Search mandb cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mandb_search_cache',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ allow $1 mandb_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read mandb cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mandb_read_cache_files',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, mandb_cache_t, mandb_cache_t)
++')
++
++########################################
++## <summary>
++## Relabel mandb cache files/directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mandb_relabel_cache',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ allow $1 mandb_cache_t:dir relabel_dir_perms;
++ allow $1 mandb_cache_t:file relabel_file_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## mandb cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mandb_manage_cache_files',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
++')
++
++########################################
++## <summary>
++## Manage mandb cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mandb_manage_cache_dirs',`
++ gen_require(`
++ type mandb_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an mandb environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mandb_admin',`
++ gen_require(`
++ type mandb_t;
++ type mandb_cache_t;
++ ')
++
++ allow $1 mandb_t:process { ptrace signal_perms };
++ ps_process_pattern($1, mandb_t)
++
++ files_search_var($1)
++ admin_pattern($1, mandb_cache_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/mandb.te b/mandb.te
+new file mode 100644
+index 0000000..8cc45e7
+--- /dev/null
++++ b/mandb.te
+@@ -0,0 +1,35 @@
++policy_module(mandb, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mandb_t;
++type mandb_exec_t;
++init_daemon_domain(mandb_t, mandb_exec_t)
++cron_system_entry(mandb_t, mandb_exec_t)
++
++type mandb_cache_t;
++files_type(mandb_cache_t)
++
++########################################
++#
++# mandb local policy
++#
++allow mandb_t self:fifo_file rw_fifo_file_perms;
++allow mandb_t self:unix_stream_socket create_stream_socket_perms;
++allow mandb_t self:process signal;
++
++manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
++manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
++manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
++files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
++
++kernel_read_system_state(mandb_t)
++
++corecmd_exec_bin(mandb_t)
++
++domain_use_interactive_fds(mandb_t)
++
++files_read_etc_files(mandb_t)
diff --git a/mcelog.fc b/mcelog.fc
index 56c43c0..409bbfc 100644
--- a/mcelog.fc
@@ -32573,7 +32863,7 @@ index 3a73e74..60e7237 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index b397fde..36e1117 100644
+index b397fde..c7c031d 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -18,10 +18,11 @@
@@ -32660,7 +32950,7 @@ index b397fde..36e1117 100644
allow mozilla_plugin_t $1:process signull;
')
-@@ -224,6 +265,31 @@ interface(`mozilla_run_plugin',`
+@@ -224,6 +265,32 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
@@ -32681,6 +32971,7 @@ index b397fde..36e1117 100644
+interface(`mozilla_role_plugin',`
+ gen_require(`
+ type mozilla_plugin_t;
++ type mozilla_plugin_config_t;
+ ')
+
+ role $1 types mozilla_plugin_t;
@@ -32692,7 +32983,7 @@ index b397fde..36e1117 100644
')
########################################
-@@ -265,9 +331,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -265,9 +332,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -32721,7 +33012,7 @@ index b397fde..36e1117 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -275,28 +359,118 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -275,28 +360,118 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -32756,7 +33047,7 @@ index b397fde..36e1117 100644
- allow $1 mozilla_plugin_tmpfs_t:file unlink;
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
- ')
++')
+
+#######################################
+## <summary>
@@ -32774,7 +33065,7 @@ index b397fde..36e1117 100644
+ ')
+
+ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
-+')
+ ')
+
+########################################
+## <summary>
@@ -40122,18 +40413,22 @@ index 0000000..966d0b3
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..84338ed
+index 0000000..fdff8eb
--- /dev/null
+++ b/openshift.fc
-@@ -0,0 +1,17 @@
+@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
++/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
++/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+
+/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
++/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
+
+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
+
@@ -40143,6 +40438,7 @@ index 0000000..84338ed
+/usr/bin/rhc-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
+
+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
++/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
index 0000000..d0fa573
@@ -40706,10 +41002,10 @@ index 0000000..d0fa573
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..bbd9e46
+index 0000000..b4cafe8
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,342 @@
+@@ -0,0 +1,347 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -41017,6 +41313,11 @@ index 0000000..bbd9e46
+openshift_net_type(openshift_app_t)
+openshift_net_type(openshift_t)
+
++optional_policy(`
++ postfix_rw_public_pipes(openshift_t)
++ postfix_manage_spool_maildrop_files(openshift_t)
++')
++
+########################################
+#
+# openshift_cgroup_read local policy
@@ -42902,10 +43203,10 @@ index 0000000..dd1b8f2
+/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
diff --git a/pkcsslotd.if b/pkcsslotd.if
new file mode 100644
-index 0000000..db15de4
+index 0000000..f383566
--- /dev/null
+++ b/pkcsslotd.if
-@@ -0,0 +1,162 @@
+@@ -0,0 +1,161 @@
+
+## <summary>policy for pkcsslotd</summary>
+
@@ -43021,7 +43322,6 @@ index 0000000..db15de4
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
+ allow $1 pkcsslotd_unit_file_t:file read_file_perms;
+ allow $1 pkcsslotd_unit_file_t:service manage_service_perms;
+
@@ -44652,7 +44952,7 @@ index 1ddfa16..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/postfix.if b/postfix.if
-index 46bee12..3d33d82 100644
+index 46bee12..a9cf37f 100644
--- a/postfix.if
+++ b/postfix.if
@@ -28,75 +28,23 @@ interface(`postfix_stub',`
@@ -44772,7 +45072,33 @@ index 46bee12..3d33d82 100644
')
########################################
-@@ -272,7 +221,8 @@ interface(`postfix_read_local_state',`
+@@ -257,6 +206,25 @@ interface(`postfix_rw_local_pipes',`
+ allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
+ ')
+
++#######################################
++## <summary>
++## Allow read/write postfix public pipes
++## TCP sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_rw_public_pipes',`
++ gen_require(`
++ type postfix_public_t;
++ ')
++
++ allow $1 postfix_public_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow domain to read postfix local process state
+@@ -272,7 +240,8 @@ interface(`postfix_read_local_state',`
type postfix_local_t;
')
@@ -44782,7 +45108,7 @@ index 46bee12..3d33d82 100644
')
########################################
-@@ -290,7 +240,27 @@ interface(`postfix_read_master_state',`
+@@ -290,7 +259,27 @@ interface(`postfix_read_master_state',`
type postfix_master_t;
')
@@ -44811,7 +45137,7 @@ index 46bee12..3d33d82 100644
')
########################################
-@@ -376,6 +346,25 @@ interface(`postfix_domtrans_master',`
+@@ -376,6 +365,25 @@ interface(`postfix_domtrans_master',`
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -44837,7 +45163,7 @@ index 46bee12..3d33d82 100644
########################################
## <summary>
## Execute the master postfix program in the
-@@ -404,7 +393,6 @@ interface(`postfix_exec_master',`
+@@ -404,7 +412,6 @@ interface(`postfix_exec_master',`
## Domain allowed access.
## </summary>
## </param>
@@ -44845,7 +45171,7 @@ index 46bee12..3d33d82 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -416,6 +404,24 @@ interface(`postfix_stream_connect_master',`
+@@ -416,6 +423,24 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
@@ -44870,7 +45196,7 @@ index 46bee12..3d33d82 100644
## Execute the master postdrop in the
## postfix_postdrop domain.
## </summary>
-@@ -462,7 +468,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -462,7 +487,7 @@ interface(`postfix_domtrans_postqueue',`
## </summary>
## </param>
#
@@ -44879,7 +45205,7 @@ index 46bee12..3d33d82 100644
gen_require(`
type postfix_postqueue_exec_t;
')
-@@ -529,6 +535,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +554,25 @@ interface(`postfix_domtrans_smtp',`
########################################
## <summary>
@@ -44905,7 +45231,7 @@ index 46bee12..3d33d82 100644
## Search postfix mail spool directories.
## </summary>
## <param name="domain">
-@@ -539,10 +564,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +583,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -44918,7 +45244,7 @@ index 46bee12..3d33d82 100644
files_search_spool($1)
')
-@@ -558,10 +583,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +602,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -44931,7 +45257,7 @@ index 46bee12..3d33d82 100644
files_search_spool($1)
')
-@@ -577,11 +602,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +621,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -44945,7 +45271,7 @@ index 46bee12..3d33d82 100644
')
########################################
-@@ -596,11 +621,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +640,31 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -44956,10 +45282,30 @@ index 46bee12..3d33d82 100644
files_search_spool($1)
- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
++')
++
++#######################################
++## <summary>
++## Create, read, write, and delete postfix maildrop spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_manage_spool_maildrop_files',`
++ gen_require(`
++ type postfix_spool_maildrop_t;
++ ')
++
++ files_search_spool($1)
++ manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++ manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
')
########################################
-@@ -621,3 +646,155 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +685,155 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -49528,7 +49874,7 @@ index 0000000..6e15504
+ sudo_exec(quantum_t)
+')
diff --git a/quota.fc b/quota.fc
-index f387230..746532d 100644
+index f387230..0ee2489 100644
--- a/quota.fc
+++ b/quota.fc
@@ -1,4 +1,5 @@
@@ -49537,7 +49883,7 @@ index f387230..746532d 100644
/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-@@ -8,12 +9,20 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+@@ -8,12 +9,21 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
@@ -49557,6 +49903,7 @@ index f387230..746532d 100644
+/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
+
+/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
++/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
diff --git a/quota.if b/quota.if
@@ -55040,7 +55387,7 @@ index 82cb169..9bb5db2 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 905883f..d93d8ce 100644
+index 905883f..b92d9af 100644
--- a/samba.te
+++ b/samba.te
@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
@@ -55379,7 +55726,7 @@ index 905883f..d93d8ce 100644
files_list_var_lib(nmbd_t)
auth_use_nsswitch(nmbd_t)
-@@ -544,8 +574,6 @@ auth_use_nsswitch(nmbd_t)
+@@ -544,12 +574,14 @@ auth_use_nsswitch(nmbd_t)
logging_search_logs(nmbd_t)
logging_send_syslog_msg(nmbd_t)
@@ -55388,7 +55735,15 @@ index 905883f..d93d8ce 100644
userdom_use_unpriv_users_fds(nmbd_t)
userdom_dontaudit_search_user_home_dirs(nmbd_t)
-@@ -562,18 +590,21 @@ optional_policy(`
+ optional_policy(`
++ ctdbd_stream_connect(nmbd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(nmbd_t)
+ ')
+
+@@ -562,18 +594,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -55414,7 +55769,7 @@ index 905883f..d93d8ce 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -581,11 +612,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -581,11 +616,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -55422,11 +55777,11 @@ index 905883f..d93d8ce 100644
+dev_read_urand(smbcontrol_t)
+
+term_use_console(smbcontrol_t)
-+
-miscfiles_read_localization(smbcontrol_t)
-userdom_use_user_terminals(smbcontrol_t)
++
+sysnet_use_ldap(smbcontrol_t)
+
+userdom_use_inherited_user_terminals(smbcontrol_t)
@@ -55437,7 +55792,7 @@ index 905883f..d93d8ce 100644
########################################
#
-@@ -604,7 +643,7 @@ allow smbmount_t samba_etc_t:file read_file_perms;
+@@ -604,7 +647,7 @@ allow smbmount_t samba_etc_t:file read_file_perms;
can_exec(smbmount_t, smbmount_exec_t)
@@ -55446,7 +55801,7 @@ index 905883f..d93d8ce 100644
allow smbmount_t samba_log_t:file manage_file_perms;
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -615,7 +654,6 @@ files_list_var_lib(smbmount_t)
+@@ -615,7 +658,6 @@ files_list_var_lib(smbmount_t)
kernel_read_system_state(smbmount_t)
@@ -55454,7 +55809,7 @@ index 905883f..d93d8ce 100644
corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_generic_if(smbmount_t)
corenet_raw_sendrecv_generic_if(smbmount_t)
-@@ -645,25 +683,25 @@ files_list_mnt(smbmount_t)
+@@ -645,25 +687,25 @@ files_list_mnt(smbmount_t)
files_mounton_mnt(smbmount_t)
files_manage_etc_runtime_files(smbmount_t)
files_etc_filetrans_etc_runtime(smbmount_t, file)
@@ -55485,7 +55840,7 @@ index 905883f..d93d8ce 100644
########################################
#
# SWAT Local policy
-@@ -684,7 +722,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -684,7 +726,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -55495,7 +55850,7 @@ index 905883f..d93d8ce 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -699,12 +738,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -699,12 +742,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -55510,7 +55865,7 @@ index 905883f..d93d8ce 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -717,6 +758,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -717,6 +762,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -55518,7 +55873,7 @@ index 905883f..d93d8ce 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -726,7 +768,6 @@ kernel_read_network_state(swat_t)
+@@ -726,7 +772,6 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -55526,7 +55881,7 @@ index 905883f..d93d8ce 100644
corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
-@@ -744,7 +785,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
+@@ -744,7 +789,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
dev_read_urand(swat_t)
files_list_var_lib(swat_t)
@@ -55534,7 +55889,7 @@ index 905883f..d93d8ce 100644
files_search_home(swat_t)
files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)
-@@ -759,7 +799,10 @@ logging_send_syslog_msg(swat_t)
+@@ -759,7 +803,10 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -55546,7 +55901,7 @@ index 905883f..d93d8ce 100644
optional_policy(`
cups_read_rw_config(swat_t)
-@@ -790,7 +833,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -790,7 +837,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -55556,7 +55911,7 @@ index 905883f..d93d8ce 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -813,21 +857,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -813,21 +861,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -55587,7 +55942,7 @@ index 905883f..d93d8ce 100644
corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_generic_if(winbind_t)
corenet_udp_sendrecv_generic_if(winbind_t)
-@@ -840,6 +887,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -840,6 +891,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -55595,7 +55950,7 @@ index 905883f..d93d8ce 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -855,12 +903,14 @@ auth_manage_cache(winbind_t)
+@@ -855,12 +907,14 @@ auth_manage_cache(winbind_t)
domain_use_interactive_fds(winbind_t)
@@ -55612,7 +55967,7 @@ index 905883f..d93d8ce 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -871,6 +921,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -871,6 +925,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -55624,7 +55979,7 @@ index 905883f..d93d8ce 100644
kerberos_use(winbind_t)
')
-@@ -909,9 +964,7 @@ auth_use_nsswitch(winbind_helper_t)
+@@ -909,9 +968,7 @@ auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
@@ -55635,7 +55990,7 @@ index 905883f..d93d8ce 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -929,19 +982,34 @@ optional_policy(`
+@@ -929,19 +986,34 @@ optional_policy(`
#
optional_policy(`
@@ -57833,7 +58188,7 @@ index 0000000..e1ef619
+/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/sensord.if b/sensord.if
new file mode 100644
-index 0000000..e3d6190
+index 0000000..ef53e87
--- /dev/null
+++ b/sensord.if
@@ -0,0 +1,80 @@
@@ -57875,7 +58230,6 @@ index 0000000..e3d6190
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
+ allow $1 sensord_unit_file_t:file read_file_perms;
+ allow $1 sensord_unit_file_t:service manage_service_perms;
+
@@ -57912,6 +58266,7 @@ index 0000000..e3d6190
+ sensord_systemctl($1)
+ admin_pattern($1, sensord_unit_file_t)
+ allow $1 sensord_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -58958,7 +59313,7 @@ index e5e72fd..84936ca 100644
userdom_dontaudit_search_user_home_dirs(slrnpull_t)
diff --git a/smartmon.if b/smartmon.if
-index adea9f9..145adbd 100644
+index adea9f9..f5dd0fe 100644
--- a/smartmon.if
+++ b/smartmon.if
@@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
@@ -58977,7 +59332,7 @@ index adea9f9..145adbd 100644
+ allow $1 fsdaemon_t:process signal_perms;
ps_process_pattern($1, fsdaemon_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 smartmon_t:process ptrace;
++ allow $1 fsdaemon_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
@@ -65324,7 +65679,7 @@ index 2124b6a..d85be92 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..d5b53ed 100644
+index 6f0736b..4bebdef 100644
--- a/virt.if
+++ b/virt.if
@@ -13,64 +13,61 @@
@@ -65773,8 +66128,8 @@ index 6f0736b..d5b53ed 100644
+ allow $1 virtd_t:process signal_perms;
ps_process_pattern($1, virtd_t)
+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 virtd_t:process ptrace_perms;
-+ allow $1 virt_lxc_t:process ptrace_perms;
++ allow $1 virtd_t:process ptrace;
++ allow $1 virt_lxc_t:process ptrace;
+ ')
+
+ allow $1 virt_lxc_t:process signal_perms;
@@ -67719,19 +68074,33 @@ index 0000000..29b9d6a
+
+logging_send_syslog_msg(wdmd_t)
diff --git a/webadm.te b/webadm.te
-index 0ecc786..3e7e984 100644
+index 0ecc786..bce3db5 100644
--- a/webadm.te
+++ b/webadm.te
-@@ -28,7 +28,7 @@ userdom_base_user_template(webadm)
+@@ -23,12 +23,21 @@ role webadm_r;
+
+ userdom_base_user_template(webadm)
+
++type webadm_tmp_t;
++files_tmp_file(webadm_tmp_t)
++
+ ########################################
+ #
# webadmin local policy
#
-allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
++
++manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
++manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
++manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
++files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir })
++can_exec(webadm_t, webadm_tmp_t)
files_dontaudit_search_all_dirs(webadm_t)
files_manage_generic_locks(webadm_t)
-@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
+@@ -38,6 +47,7 @@ selinux_get_enforce_mode(webadm_t)
seutil_domtrans_setfiles(webadm_t)
logging_send_syslog_msg(webadm_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1483b94..b62a60b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 30%{?dist}
+Release: 31%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Nov 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-31
+- Add new mandb policy
+- ALlow systemd-tmpfiles_t to relabel mandb_cache_t
+- Allow logrotate to start all unit files
+
* Thu Nov 4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-30
- Add fixes for ctbd
- Allow nmbd to stream connect to ctbd
More information about the scm-commits
mailing list