From 2f530e89d91a102f7de576f9048987fea37a39f6 Mon Sep 17 00:00:00 2001
From: Hubert Quarantel-Colombani <hubert@quarantel.name>
Date: Sun, 1 Sep 2024 12:24:03 +0200
Subject: [PATCH] springboot_selinux man page creation

---
 manpages/man8/springboot_selinux.8 | 245 +++++++++++++++++++++++++++++
 rpm/selinux_springboot.spec        |   4 +
 2 files changed, 249 insertions(+)
 create mode 100644 manpages/man8/springboot_selinux.8

diff --git a/manpages/man8/springboot_selinux.8 b/manpages/man8/springboot_selinux.8
new file mode 100644
index 0000000..014a88a
--- /dev/null
+++ b/manpages/man8/springboot_selinux.8
@@ -0,0 +1,245 @@
+'\" t
+.TH springboot_selinux 8 "Springboot SELinux policy man page"
+.LO 8
+
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+
+.SH Name
+springboot_selinux \- Security Enhanced Linux Policy for Java Spring Boot services
+
+.SH Description
+.PP
+Security-Enhanced Linux (SELinux) secures the Java Springboot processes via flexible
+mandatory access control (MAC).
+.PP
+The Springboot application/service processes execute with the \fIspringboot_t\fR SELinux
+type (domain).
+.PP
+You can check if you have these processes running by executing the \fBps\fR
+command with the \fB\-Z\fR qualifier.
+.PP
+For example:
+.RS 2
+\fBps \-eZ | grep springboot_t\fR
+.RE
+
+.SH Entrypoints
+.PP
+The springboot_t SELinux type/domain can be entered via the \fIspringboot_exec_t\fR file type.
+.br
+The default entrypoint paths for the springboot_t domain are the following:
+/opt/springboot/bin/springboot_service, /opt/springboot/bin/springboot_service.sh and /opt/springboot/service/*
+.RE
+
+.SH Process types
+.PP
+SELinux defines process types (domains) for each process running on the system.
+Policy governs the access confined processes have to files/directories and all other types
+of resources on the system (network ports, other processes...). 
+.PP
+The springboot_t process type (domain) is defined for Springboot application/service processes.
+.PP
+Note: \fBsemanage permissive \-a springboot_t\fR
+.RS 2
+Can be used to make the process type springboot_t permissive.
+.br
+Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+.RE
+
+.SH Booleans
+.PP
+The SELinux policy rules for the springboot_t domain can be tuned using predefined booleans to allow/disallow
+the Springboot application different actions.
+.PP
+\fBallow_springboot_connectto_http\fR (true)
+.RS 4
+Whether to allow the Springboot application to connect (TCP) to HTTP ports (labeled as http_port_t).
+.RE
+.PP
+\fBallow_springboot_connectto_self\fR (false)
+.RS 4
+Whether to allow the Springboot application to connect (TCP) to other Springboot applications ports (labeled as springboot_port_t).
+.RE
+.PP
+\fBallow_springboot_connectto_ldap\fR (false)
+.RS 4
+Whether to allow the Springboot application to connect (TCP) to LDAP ports (labeled as ldap_port_t).
+.RE
+.PP
+\fBallow_springboot_connectto_smtp\fR (false)
+.RS 4
+Whether to allow the Springboot application to connect (TCP) to SMTP ports (labeled as smtp_port_t).
+.RE
+.PP
+\fBallow_springboot_connectto_oracle\fR (false)
+.RS 4
+Whether to allow the Springboot application to connect (TCP) to Oracle ports (labeled as oracle_port_t).
+.RE
+.PP
+\fBallow_springboot_connectto_mysql\fR (false)
+.RS 4
+Whether to allow the Springboot application to connect (TCP) to MySQL/MariaDB ports (labeled as mysqlde_port_t).
+.RE
+.PP
+\fBallow_springboot_connectto_pgsql\fR (false)
+.RS 4
+Whether to allow the Springboot application to connect (TCP) to PostgreSQL ports (labeled as postgresql_port_t).
+.RE
+.PP
+\fBallow_springboot_connectto_redis\fR (false)
+.RS 4
+Whether to allow the Springboot application to connect (TCP) to Redis ports (labeled as redis_port_t).
+.RE
+.PP
+\fBallow_springboot_connectto_couchdb\fR (false)
+.RS 4
+Whether to allow the Springboot application to connect (TCP) to CouchDB ports (labeled as couch_port_t).
+.RE
+.PP
+\fBallow_springboot_connectto_mongodb\fR (false)
+.RS 4
+Whether to allow the Springboot application to connect (TCP) to MongoDB ports (labeled as mongod_port_t).
+.RE
+.PP
+\fBallow_springboot_dynamic_libs\fR (false)
+.RS 4
+Whether to allow the Springboot application to create and use (execute/map) dynamic libraries.
+.RE
+.PP
+\fBallow_springboot_purge_logs\fR (false)
+.RS 4
+Whether to allow the Springboot application to delete its log files.
+.RE
+.PP
+\fBallow_springboot_rewrite_logs\fR (false)
+.RS 4
+Whether to allow the Springboot application to rewrite/modify its log files.
+.RE
+.PP
+\fBallow_webadm_read_springboot_files\fR (false)
+.RS 4
+Whether to allow users processes running in the \fIwebadm_t\fR SELinux domain to read Springboot application files.
+.RE
+.PP
+\fBallow_sysadm_write_springboot_files\fR (false)
+.RS 4
+Whether to allow users processes running in the \fIsysadm_t\fR SELinux domain to modify/alter Springboot application files.
+.RE
+.PP
+\fBallow_sysadm_manage_springboot_auth_files\fR (false)
+.RS 4
+Whether to allow users processes running in the \fIsysadm_t\fR SELinux domain to modify/alter Springboot application authentication/sensitive files.
+.RE
+.PP
+.RE
+
+.SH File Contexts
+.PP
+\fBspringboot_conf_t\fR
+.RS 4
+Files containing (not highly sensitive) configuration properties and information.
+(Cannot be altered by the Springboot application)
+.RE
+.PP
+\fBspringboot_auth_t\fR
+.RS 4
+Files containing sensitive/confidention configuration properties and authentication information.
+(Cannot be altered by the Springboot application)
+.RE
+.PP
+\fBspringboot_log_t\fR
+.RS 4
+Application log files, may contain sensitive information.
+(Append-only access by the Springboot application, by default)
+.RE
+.PP
+\fBspringboot_var_t\fR
+.RS 4
+Application (various) data files, persistent across application restart and system reboot.
+.RE
+.PP
+\fBspringboot_run_t\fR
+.RS 4
+Application (various) data transient/volative files, not persistent across application restart and system reboot.
+.RE
+.PP
+\fBspringboot_tmp_t\fR
+.RS 4
+Application temporary files.
+.RE
+.PP
+\fBspringboot_bin_t\fR
+.RS 4
+Application binary/executables files.
+(Cannot be altered by the Springboot application)
+.RE
+.PP
+\fBspringboot_lib_t\fR
+.RS 4
+Application libraries files, such as JAR files or .SO files in case os native call/interface.
+(Cannot be altered by the Springboot application)
+.RE
+.PP
+\fBspringboot_dynlib_t\fR
+.RS 4
+Application dynamic libraries files. May be deployed/created/rewritten by the Springboot application itself.
+.RE
+.PP
+\fBspringboot_unit_file_t\fR
+.RS 4
+systemd unit files to control/manage the Springboot application services and targets.
+(Cannot be altered by the Springboot application)
+.RE
+.PP
+.RE
+
+.SH Port Types
+.PP
+\fBspringboot_port_t\fR
+.RS 4
+TCP port the Springboot application binds to and listens on for client connections.
+.RE
+.PP
+\fBspringboot_monitoring_port_t\fR
+.RS 4
+TCP port the Springboot application binds to and listens on for monitoring purposes.
+.RE
+.PP
+.RE
+
+.SH Interfaces
+.PP
+.RE
+
+.SH Author
+.PP
+The Springboot SELinux policy was initially authored by Hubert Quarantel-Colombani and is now published and maintained by LHQG <https://lhqg.fr/>
+.RE
+
+.SH "See Also"
+.PP
+\fBselinux\fR(8),
+\fBsemanage\fR(8),
+\fBrestorecon\fR(8),
+\fBsepolicy\fR(8),
+\fBsetsebool\fR(8)
+.PP
+LHQG GitHub repository <https://github.com/lhqg/selinux_springboot/>
\ No newline at end of file
diff --git a/rpm/selinux_springboot.spec b/rpm/selinux_springboot.spec
index 32dc031..d97ac1f 100644
--- a/rpm/selinux_springboot.spec
+++ b/rpm/selinux_springboot.spec
@@ -43,12 +43,14 @@ make -f /usr/share/selinux/devel/Makefile -C %{_builddir} springboot.pp
 %install
 
 mkdir -p -m 0755 %{buildroot}/usr/share/selinux/packages/targeted
+mkdir -p -m 0755 %{buildroot}/usr/share/man/man8
 mkdir -p -m 0755 %{buildroot}/%{_docdir}/%{name}
 mkdir -p -m 0755 %{buildroot}/%{_datarootdir}/%{name}
 
 install -m 0555 %{_builddir}/scripts/* %{buildroot}/%{_datarootdir}/%{name}/
 install -m 0444 %{_builddir}/springboot.pp %{buildroot}/usr/share/selinux/packages/targeted/
 install -m 0444 %{_builddir}/{LICENSE,README.md} %{buildroot}/%{_docdir}/%{name}/
+install -m 0444 %{_builddir}/manpages/man8/*.8 %{buildroot}/usr/share/man/man8/
 
 ###################################
 
@@ -61,6 +63,7 @@ then
   restorecon -RFi /{opt,srv}/springboot 
   restorecon -RFi /{lib,etc}/systemd/system/springboot*
   restorecon -RFi /var/{lib,log,run,tmp}/springboot
+  restorecon -RFi /usr/share/man
 fi
 
 ###################################
@@ -85,3 +88,4 @@ fi
 %dir		%{_docdir}/%{name}
 %license 	%{_docdir}/%{name}/LICENSE
 %doc		%{_docdir}/%{name}/README.md
+%doc		/usr/share/man/man*/*