initial import from svn trunk revision 2950
diff --git a/libselinux/man/Makefile b/libselinux/man/Makefile
new file mode 100644
index 0000000..984b6af
--- /dev/null
+++ b/libselinux/man/Makefile
@@ -0,0 +1,13 @@
+# Installation directories.
+MAN8DIR ?= $(DESTDIR)/usr/share/man/man8
+MAN5DIR ?= $(DESTDIR)/usr/share/man/man5
+MAN3DIR ?= $(DESTDIR)/usr/share/man/man3
+
+install:
+ mkdir -p $(MAN3DIR)
+ mkdir -p $(MAN5DIR)
+ mkdir -p $(MAN8DIR)
+ install -m 644 man3/*.3 $(MAN3DIR)
+ install -m 644 man5/*.5 $(MAN5DIR)
+ install -m 644 man8/*.8 $(MAN8DIR)
+
diff --git a/libselinux/man/man3/avc_add_callback.3 b/libselinux/man/man3/avc_add_callback.3
new file mode 100644
index 0000000..9c83cac
--- /dev/null
+++ b/libselinux/man/man3/avc_add_callback.3
@@ -0,0 +1,184 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
+.TH "avc_add_callback" "3" "9 June 2004" "" "SELinux API documentation"
+.SH "NAME"
+avc_add_callback \- additional event notification for SELinux userspace object managers.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/avc.h>
+.sp
+.BI "int avc_add_callback(int (*" callback ")(uint32_t " event ,
+.in +\w'int avc_add_callback(int (*callback)('u
+.BI "security_id_t " ssid ,
+
+.BI "security_id_t " tsid ,
+
+.BI "security_class_t " tclass ,
+
+.BI "access_vector_t " perms ,
+
+.BI "access_vector_t *" out_retained "),"
+.in
+.in +\w'int avc_add_callback('u
+.BI "uint32_t " events ", security_id_t " ssid ,
+
+.BI "security_id_t " tsid ", security_class_t " tclass ,
+
+.BI "access_vector_t " perms ");"
+.in
+.SH "DESCRIPTION"
+.B avc_add_callback
+is used to register callback functions on security events. The purpose of this functionality is to allow userspace object managers to take additional action when a policy change, usually a policy reload, causes permissions to be granted or revoked.
+
+.I events
+is the
+.RI bitwise- or
+of security events on which to register the callback; see
+.B SECURITY EVENTS
+below.
+
+.IR ssid ,
+.IR tsid ,
+.IR tclass ,
+and
+.I perms
+specify the source and target SID's, target class, and specific permissions that the callback wishes to monitor. The special symbol
+.B SECSID_WILD
+may be passed as the
+.I source
+or
+.I target
+and will cause any SID to match.
+
+.I callback
+is the callback function provided by the userspace object manager. The
+.I event
+argument indicates the security event which occured; the remaining arguments are interpreted according to the event as described below. The return value of the callback should be zero on success, \-1 on error with errno set appropriately (but see
+.B RETURN VALUE
+below).
+
+.SH "SECURITY EVENTS"
+In all cases below,
+.I ssid
+and/or
+.I tsid
+may be set to
+.BR SECSID_WILD ,
+indicating that the change applies to all source and/or target SID's. Unless otherwise indicated, the
+.I out_retained
+parameter is unused.
+
+.TP
+.B AVC_CALLBACK_GRANT
+Previously denied permissions are now granted for
+.IR ssid ,
+.I tsid
+with respect to
+.IR tclass .
+.I perms
+indicates the permissions to grant.
+.TP
+.B AVC_CALLBACK_TRY_REVOKE
+Previously granted permissions are now conditionally revoked for
+.IR ssid ,
+.I tsid
+with respect to
+.IR tclass .
+.I perms
+indicates the permissions to revoke. The callback should set
+.I out_retained
+to the subset of
+.I perms
+which are retained as migrated permissions. Note that
+.I out_retained
+is ignored if the callback returns \-1.
+.TP
+.B AVC_CALLBACK_REVOKE
+Previously granted permissions are now unconditionally revoked for
+.IR ssid ,
+.I tsid
+with respect to
+.IR tclass .
+.I perms
+indicates the permissions to revoke.
+.TP
+.B AVC_CALLBACK_RESET
+Indicates that the cache was flushed. The SID, class, and permission arguments are unused and are set to NULL.
+.TP
+.B AVC_CALLBACK_AUDITALLOW_ENABLE
+The permissions given by
+.I perms
+should now be audited when granted for
+.IR ssid ,
+.I tsid
+with respect to
+.IR tclass .
+.TP
+.B AVC_CALLBACK_AUDITALLOW_DISABLE
+The permissions given by
+.I perms
+should no longer be audited when granted for
+.IR ssid ,
+.I tsid
+with respect to
+.IR tclass .
+.TP
+.B AVC_CALLBACK_AUDITDENY_ENABLE
+The permissions given by
+.I perms
+should now be audited when denied for
+.IR ssid ,
+.I tsid
+with respect to
+.IR tclass .
+.TP
+.B AVC_CALLBACK_AUDITDENY_DISABLE
+The permissions given by
+.I perms
+should no longer be audited when denied for
+.IR ssid ,
+.I tsid
+with respect to
+.IR tclass .
+
+.SH "RETURN VALUE"
+On success,
+.B avc_add_callback
+returns zero. On error, \-1 is returned and
+.I errno
+is set appropriately.
+
+A return value of \-1 from a callback is interpreted as a failed policy operation. If such a return value is encountered, all remaining callbacks registered on the event are called. In threaded mode, the netlink handler thread may then terminate and cause the userspace AVC to return
+.B EINVAL
+on all further permission checks until
+.BR avc_destroy (3)
+is called. In non-threaded mode, the permission check on which the error occurred will return \-1 and the value of
+.I errno
+encountered to the caller. In both cases, a log message is produced and the kernel may be notified of the error.
+
+.SH "ERRORS"
+.TP
+.B ENOMEM
+An attempt to allocate memory failed.
+
+.SH "NOTES"
+If the userspace AVC is running in threaded mode, callbacks registered via
+.B avc_add_callback
+may be executed in the context of the netlink handler thread. This will likely introduce synchronization issues requiring the use of locks. See
+.BR avc_init (3).
+
+Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets excercised is
+.BR AVC_CALLBACK_RESET .
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR avc_init (3),
+.BR avc_has_perm (3),
+.BR avc_context_to_sid (3),
+.BR avc_cache_stats (3),
+.BR security_compute_av (3)
+.BR selinux (8)
diff --git a/libselinux/man/man3/avc_audit.3 b/libselinux/man/man3/avc_audit.3
new file mode 100644
index 0000000..3caf27b
--- /dev/null
+++ b/libselinux/man/man3/avc_audit.3
@@ -0,0 +1 @@
+.so man3/avc_has_perm.3
diff --git a/libselinux/man/man3/avc_av_stats.3 b/libselinux/man/man3/avc_av_stats.3
new file mode 100644
index 0000000..6732dc1
--- /dev/null
+++ b/libselinux/man/man3/avc_av_stats.3
@@ -0,0 +1 @@
+.so man3/avc_cache_stats.3
diff --git a/libselinux/man/man3/avc_cache_stats.3 b/libselinux/man/man3/avc_cache_stats.3
new file mode 100644
index 0000000..96f2b21
--- /dev/null
+++ b/libselinux/man/man3/avc_cache_stats.3
@@ -0,0 +1,99 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
+.TH "avc_cache_stats" "3" "27 May 2004" "" "SELinux API documentation"
+.SH "NAME"
+avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC statistics.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/avc.h>
+.sp
+.BI "void avc_av_stats(void);"
+.sp
+.BI "void avc_sid_stats(void);"
+.sp
+.BI "void avc_cache_stats(struct avc_cache_stats *" stats ");"
+.SH "DESCRIPTION"
+The userspace AVC maintains two internal hash tables, one to store security ID's and one to cache access decisions.
+
+.B avc_av_stats
+and
+.B avc_sid_stats
+produce log messages indicating the status of the access decision and SID tables, respectively. The messages contain the number of entries in the table, number of hash buckets and number of buckets used, and maximum number of entries in a single bucket.
+
+.B avc_cache_stats
+populates a structure whose fields reflect cache activity:
+
+.RS
+.ta 4n 14n
+.nf
+struct avc_cache_stats {
+ unsigned entry_lookups;
+ unsigned entry_hits;
+ unsigned entry_misses;
+ unsigned entry_discards;
+ unsigned cav_lookups;
+ unsigned cav_hits;
+ unsigned cav_probes;
+ unsigned cav_misses;
+};
+.fi
+.ta
+.RE
+
+.TP
+.I entry_lookups
+Number of queries made.
+.TP
+.I entry_hits
+Number of times a decision was found in the
+.I aeref
+argument.
+.TP
+.I entry_misses
+Number of times a decision was not found in the
+.I aeref
+argument.
+.TP
+.I entry_discards
+Number of times a decision was not found in the
+.I aeref
+argument and the
+.I aeref
+argument was non-NULL.
+.TP
+.I cav_lookups
+Number of cache lookups.
+.TP
+.I cav_hits
+Number of cache hits.
+.TP
+.I cav_misses
+Number of cache misses.
+.TP
+.I cav_probes
+Number of entries examined while searching the cache.
+
+.SH "NOTES"
+When the cache is flushed as a result of a call to
+.B avc_reset
+or a policy change notification,
+the statistics returned by
+.B avc_cache_stats
+are reset to zero. The SID table, however, is left
+unchanged.
+
+When a policy change notification is received, a call to
+.B avc_av_stats
+is made before the cache is flushed.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR avc_init (3),
+.BR avc_has_perm (3),
+.BR avc_context_to_sid (3),
+.BR avc_add_callback (3)
+.BR selinux (8)
diff --git a/libselinux/man/man3/avc_cleanup.3 b/libselinux/man/man3/avc_cleanup.3
new file mode 100644
index 0000000..ca549ae
--- /dev/null
+++ b/libselinux/man/man3/avc_cleanup.3
@@ -0,0 +1 @@
+.so man3/avc_open.3
diff --git a/libselinux/man/man3/avc_compute_create.3 b/libselinux/man/man3/avc_compute_create.3
new file mode 100644
index 0000000..f102cc9
--- /dev/null
+++ b/libselinux/man/man3/avc_compute_create.3
@@ -0,0 +1,68 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
+.TH "avc_compute_create" "3" "30 Mar 2007" "" "SELinux API documentation"
+.SH "NAME"
+avc_compute_create, avc_compute_member \- obtain SELinux label for new object.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/avc.h>
+.sp
+.BI "int avc_compute_create(security_id_t " ssid ", security_id_t " tsid ,
+.in +\w'int avc_compute_create('u
+.BI "security_class_t " tclass ", security_id_t *" newsid ");"
+.sp
+.in
+.BI "int avc_compute_member(security_id_t " ssid ", security_id_t " tsid ,
+.in +\w'int avc_compute_member('u
+.BI "security_class_t " tclass ", security_id_t *" newsid ");"
+.in
+.SH "DESCRIPTION"
+.B avc_compute_create
+is used to compute a SID to use for labeling a new object in a particular class based on a SID pair. This call is identical to
+.BR security_compute_create ,
+but does not require converting from userspace SID's to contexts and back again.
+
+.B avc_compute_member
+is used to compute a SID to use for labeling a polyinstantiated object instance of a particular class based on a SID pair. This call is identical to
+.BR security_compute_member ,
+but does not require converting from userspace SID's to contexts and back again.
+
+These functions
+return a SID for the computed context in the memory referenced by
+.IR sid ,
+incrementing its reference count by 1.
+
+.SH "RETURN VALUE"
+On success, zero is returned. On error, \-1 is returned and
+.I errno
+is set appropriately.
+
+.SH "ERRORS"
+.TP
+.B EINVAL
+The
+.I tclass
+and/or the security contexts referenced by
+.I ssid
+and
+.I tsid
+are not recognized by the currently loaded policy, or
+.I tsid
+or
+.I ssid
+has a zero reference count and is invalid.
+
+.TP
+.B ENOMEM
+An attempt to allocate memory failed.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR avc_init (3),
+.BR avc_context_to_sid (3),
+.BR security_compute_create (3),
+.BR selinux (8)
diff --git a/libselinux/man/man3/avc_compute_member.3 b/libselinux/man/man3/avc_compute_member.3
new file mode 100644
index 0000000..28307ce
--- /dev/null
+++ b/libselinux/man/man3/avc_compute_member.3
@@ -0,0 +1 @@
+.so man3/avc_compute_create.3
diff --git a/libselinux/man/man3/avc_context_to_sid.3 b/libselinux/man/man3/avc_context_to_sid.3
new file mode 100644
index 0000000..41a486d
--- /dev/null
+++ b/libselinux/man/man3/avc_context_to_sid.3
@@ -0,0 +1,98 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
+.TH "avc_context_to_sid" "3" "27 May 2004" "" "SELinux API documentation"
+.SH "NAME"
+avc_context_to_sid, avc_sid_to_context, sidput, sidget, avc_get_initial_sid \- obtain and manipulate SELinux security ID's.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/avc.h>
+.sp
+.BI "int avc_context_to_sid(security_context_t " ctx ", security_id_t *" sid ");"
+.sp
+.BI "int avc_sid_to_context(security_id_t " sid ", security_context_t *" ctx ");"
+.sp
+.BI "int sidget(security_id_t " sid ");"
+.sp
+.BI "int sidput(security_id_t " sid ");"
+.sp
+.BI "int avc_get_initial_sid(const char *" name ", security_id_t *" sid ");"
+.sp
+.SH "DESCRIPTION"
+Security ID's (SID's) are reference-counted, opaque representations of security contexts.
+
+.B avc_context_to_sid
+returns a SID for the given
+.I context
+in the memory referenced by
+.IR sid ,
+incrementing its reference count by 1.
+
+.B avc_sid_to_context
+returns a copy of the context represented by
+.I sid
+in the memory referenced by
+.IR ctx .
+The user must free the copy with
+.BR freecon (3).
+
+.B sidget
+increments the reference count of
+.I sid
+by 1.
+
+.B sidput
+decrements the reference count of
+.I sid
+by 1. If the count ever reaches zero, the SID becomes
+invalid and must not be used any further.
+
+.B avc_get_initial_sid
+returns a SID for the kernel initial security identifier specified by
+.I name
+
+.SH "RETURN VALUE"
+.B sidget
+and
+.B sidput
+return the new reference count. A return value of zero indicates
+an invalid SID.
+
+.B avc_context_to_sid
+and
+.B avc_sid_to_context
+return zero on success. On error, \-1 is returned and
+.I errno
+is set appropriately.
+
+.SH "ERRORS"
+.TP
+.B EINVAL
+The provided
+.I sid
+has a zero reference count and is invalid.
+.TP
+.B ENOMEM
+An attempt to allocate memory failed.
+
+.SH "NOTES"
+The expected usage pattern for these functions is that
+.B avc_context_to_sid
+will be called once to obtain a SID for a newly created object,
+.B sidget
+will be called on a SID when its object is duplicated, and
+.B sidput
+will be called on a SID when its object is destroyed. Proper reference counting is necessary to ensure that SID's and associated cache entries are reclaimed from memory when no longer needed.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR avc_init (3),
+.BR avc_has_perm (3),
+.BR avc_cache_stats (3),
+.BR avc_add_callback (3),
+.BR getcon (3),
+.BR freecon (3)
+.BR selinux (8)
diff --git a/libselinux/man/man3/avc_destroy.3 b/libselinux/man/man3/avc_destroy.3
new file mode 100644
index 0000000..ca549ae
--- /dev/null
+++ b/libselinux/man/man3/avc_destroy.3
@@ -0,0 +1 @@
+.so man3/avc_open.3
diff --git a/libselinux/man/man3/avc_entry_ref_init.3 b/libselinux/man/man3/avc_entry_ref_init.3
new file mode 100644
index 0000000..3caf27b
--- /dev/null
+++ b/libselinux/man/man3/avc_entry_ref_init.3
@@ -0,0 +1 @@
+.so man3/avc_has_perm.3
diff --git a/libselinux/man/man3/avc_get_initial_context.3 b/libselinux/man/man3/avc_get_initial_context.3
new file mode 100644
index 0000000..d7c3e66
--- /dev/null
+++ b/libselinux/man/man3/avc_get_initial_context.3
@@ -0,0 +1 @@
+.so man3/avc_context_to_sid.3
diff --git a/libselinux/man/man3/avc_has_perm.3 b/libselinux/man/man3/avc_has_perm.3
new file mode 100644
index 0000000..50f4d44
--- /dev/null
+++ b/libselinux/man/man3/avc_has_perm.3
@@ -0,0 +1,155 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
+.TH "avc_has_perm" "3" "27 May 2004" "" "SELinux API documentation"
+.SH "NAME"
+avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and audit SELinux access decisions.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/avc.h>
+.sp
+.BI "void avc_entry_ref_init(struct avc_entry_ref *" aeref ");"
+.sp
+.BI "int avc_has_perm(security_id_t " ssid ", security_id_t " tsid ,
+.in +\w'int avc_has_perm('u
+.BI "security_class_t " tclass ", access_vector_t " requested ,
+
+.BI "struct avc_entry_ref *" aeref ", void *" auditdata ");"
+.in
+.sp
+.BI "int avc_has_perm_noaudit(security_id_t " ssid ", security_id_t " tsid ,
+.in +\w'int avc_has_perm('u
+.BI "security_class_t " tclass ", access_vector_t " requested ,
+
+.BI "struct avc_entry_ref *" aeref ", struct av_decision *" avd ");"
+.in
+.sp
+.BI "void avc_audit(security_id_t " ssid ", security_id_t " tsid ,
+.in +\w'void avc_audit('u
+.BI "security_class_t " tclass ", access_vector_t " requested ,
+
+.BI "struct av_decision *" avd ", int " result ", void *" auditdata ");"
+.in
+.SH "DESCRIPTION"
+.B avc_entry_ref_init
+initializes an
+.B avc_entry_ref
+structure; see
+.B ENTRY REFERENCES
+below. This function may be implemented as a macro.
+
+.B avc_has_perm
+checks whether the
+.I requested
+permissions are granted
+for subject SID
+.IR ssid
+and target SID
+.IR tsid ,
+interpreting the permissions
+based on
+.I tclass
+and updating
+.IR aeref ,
+if non-NULL, to refer to a cache entry with the resulting decision. The granting or denial of permissions is audited in accordance with the policy. The
+.I auditdata
+parameter is for supplemental auditing; see
+.B avc_audit
+below.
+
+.B avc_has_perm_noaudit
+behaves as
+.B avc_has_perm
+without producing an audit message. The access decision is returned in
+.I avd
+and can be passed to
+.B avc_audit
+explicitly.
+
+.B avc_audit
+produces an audit message for the access query represented by
+.IR ssid ,
+.IR tsid ,
+.IR tclass ,
+and
+.IR requested ,
+with a decision represented by
+.IR avd .
+Pass the value returned by
+.B avc_has_perm_noaudit
+as
+.IR result .
+The
+.I auditdata
+parameter is passed to the user-supplied
+.B func_audit
+callback and can be used to add supplemental information to the audit message; see
+.BR avc_init (3).
+
+.SH "ENTRY REFERENCES"
+Entry references can be used to speed cache performance for repeated queries on the same subject and target. The userspace AVC will check the
+.I aeref
+argument, if supplied, before searching the cache on a permission query. After a query is performed,
+.I aeref
+will be updated to reference the cache entry for that query. A subsequent query on the same subject and target will then have the decision at hand without having to walk the cache.
+
+After declaring an
+.B avc_entry_ref
+structure, use
+.B avc_entry_ref_init
+to initialize it before passing it to
+.B avc_has_perm
+or
+.B avc_has_perm_noaudit
+for the first time.
+Using an uninitialized structure will produce undefined behavior.
+
+.SH "RETURN VALUE"
+If requested permissions are granted, zero is returned. If requested permissions are denied or an error occured, \-1 is returned and
+.I errno
+is set appropriately.
+
+In permissive mode, zero will be returned and
+.I errno
+unchanged even if permissions were denied.
+.B avc_has_perm
+will still produce an audit message in this case.
+
+.SH "ERRORS"
+.TP
+.B EACCES
+A requested permission was denied.
+.TP
+.B EINVAL
+The
+.I tclass
+and/or the security contexts referenced by
+.I ssid
+and
+.I tsid
+are not recognized by the currently loaded policy.
+.TP
+.B ENOMEM
+An attempt to allocate memory failed.
+
+.SH "NOTES"
+Internal errors encountered by the userspace AVC may cause certain values of
+.I errno
+to be returned unexpectedly. For example, netlink socket errors may produce
+.B EACCES
+or
+.BR EINVAL .
+Make sure that userspace object managers are granted appropriate access to
+netlink by the policy.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR avc_init (3),
+.BR avc_context_to_sid (3),
+.BR avc_cache_stats (3),
+.BR avc_add_callback (3),
+.BR security_compute_av (3)
+.BR selinux(8)
diff --git a/libselinux/man/man3/avc_has_perm_noaudit.3 b/libselinux/man/man3/avc_has_perm_noaudit.3
new file mode 100644
index 0000000..3caf27b
--- /dev/null
+++ b/libselinux/man/man3/avc_has_perm_noaudit.3
@@ -0,0 +1 @@
+.so man3/avc_has_perm.3
diff --git a/libselinux/man/man3/avc_init.3 b/libselinux/man/man3/avc_init.3
new file mode 100644
index 0000000..331a665
--- /dev/null
+++ b/libselinux/man/man3/avc_init.3
@@ -0,0 +1,195 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004
+.TH "avc_init" "3" "27 May 2004" "" "SELinux API documentation"
+.SH "NAME"
+avc_init - legacy userspace SELinux AVC setup.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/avc.h>
+.sp
+.BI "int avc_init(const char *" msgprefix ,
+.in +\w'int avc_init('u
+.BI "const struct avc_memory_callback *" mem_callbacks ,
+
+.BI "const struct avc_log_callback *" log_callbacks ,
+
+.BI "const struct avc_thread_callback *" thread_callbacks ,
+
+.BI "const struct avc_lock_callback *" lock_callbacks ");"
+.SH "DESCRIPTION"
+.B avc_init
+is deprecated; please use
+.BR avc_open (3)
+in conjunction with
+.BR selinux_set_callback (3)
+in all new code.
+
+.B avc_init
+initializes the userspace AVC and must be called before any other AVC operation can be performed. A non-NULL
+.I msgprefix
+will be prepended to all audit messages produced by the userspace AVC. The default is `uavc'. The remaining arguments, if non-NULL, specify callbacks to be used by the userspace AVC.
+
+.SH "CALLBACKS"
+The userspace AVC can be directed how to perform memory allocation, logging, thread creation, and locking via callback functions passed to
+.BR avc_init .
+The purpose of this functionality is to allow the userspace AVC to be smoothly integrated into existing userspace object managers.
+
+Use an
+.B avc_memory_callback
+structure to specify alternate functions for dynamic memory allocation.
+
+.RS
+.ta 4n 10n 24n
+.nf
+struct avc_memory_callback {
+ void *(*func_malloc)(size_t size);
+ void (*func_free)(void *ptr);
+};
+.fi
+.ta
+.RE
+
+The two fields of the structure should be pointers to functions which behave as
+.BR malloc (3)
+and
+.BR free (3),
+which are used by default.
+
+Use an
+.B avc_log_callback
+structure to specify alternate functions for logging.
+
+.RS
+.ta 4n 10n 24n
+.nf
+struct avc_log_callback {
+ void (*func_log)(const char *fmt, ...);
+ void (*func_audit)(void *auditdata,
+ security_class_t class,
+ char *msgbuf, size_t msgbufsize);
+};
+.fi
+.ta
+.RE
+
+The
+.B func_log
+callback should accept a
+.BR printf (3)
+style format and arguments and log them as desired. The default behavior prints the message on the standard error. The
+.B func_audit
+callback should interpret the
+.I auditdata
+parameter for the given
+.IR class ,
+printing a human-readable interpretation to
+.I msgbuf
+using no more than
+.I msgbufsize
+characters. The default behavior is to ignore
+.IR auditdata .
+
+Use an
+.B avc_thread_callback
+structure to specify functions for starting and manipulating threads.
+
+.RS
+.ta 4n 10n 24n
+.nf
+struct avc_thread_callback {
+ void *(*func_create_thread)(void (*run)(void));
+ void (*func_stop_thread)(void *thread);
+};
+.fi
+.ta
+.RE
+
+The
+.B func_create_thread
+callback should create a new thread and return a pointer which references it. The thread should execute the
+.I run
+argument, which does not return under normal conditions. The
+.B func_stop_thread
+callback should cancel the running thread referenced by
+.IR thread .
+By default, threading is not used; see
+.B NETLINK NOTIFICATION
+below.
+
+Use an
+.B avc_lock_callback
+structure to specify functions to create, obtain, and release locks for use by threads.
+
+.RS
+.ta 4n 10n 24n
+.nf
+struct avc_lock_callback {
+ void *(*func_alloc_lock)(void);
+ void (*func_get_lock)(void *lock);
+ void (*func_release_lock)(void *lock);
+ void (*func_free_lock)(void *lock);
+};
+.fi
+.ta
+.RE
+
+The
+.B func_alloc_lock
+callback should create a new lock, returning a pointer which references it. The
+.B func_get_lock
+callback should obtain
+.IR lock ,
+blocking if necessary. The
+.B func_release_lock
+callback should release
+.IR lock .
+The
+.B func_free_lock
+callback should destroy
+.IR lock ,
+freeing any resources associated with it. The default behavior is not to perform any locking. Note that undefined behavior may result if threading is used without appropriate locking.
+
+.SH "NETLINK NOTIFICATION"
+Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
+.BR avc_has_perm (3)
+to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed.
+
+In the default single-threaded mode, the userspace AVC checks for new netlink messages at the start of each permission query. If threading and locking callbacks are passed to
+.B avc_init
+however, a dedicated thread will be started to listen on the netlink socket. This may increase performance and will ensure that log messages are generated immediately rather than at the time of the next permission query.
+
+.SH "RETURN VALUE"
+Functions with a return value return zero on success. On error, \-1 is returned and
+.I errno
+is set appropriately.
+
+.SH "NOTES"
+The
+.I msgprefix
+argument to
+.B avc_init
+currently has a length limit of 15 characters and will be truncated if necessary.
+
+If a provided
+.B func_malloc
+callback does not set
+.I errno
+appropriately on error, userspace AVC calls may exhibit the
+same behavior.
+
+If a netlink thread has been created and an error occurs on the socket (such as an access error), the thread may terminate and cause the userspace AVC to return
+.B EINVAL
+on all further permission checks until
+.B avc_destroy
+is called.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR avc_open (3),
+.BR selinux_set_callback (3),
+.BR selinux (8)
+
diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3
new file mode 100644
index 0000000..9019085
--- /dev/null
+++ b/libselinux/man/man3/avc_open.3
@@ -0,0 +1,70 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2008
+.TH "avc_open" "3" "12 Jun 2008" "" "SELinux API documentation"
+.SH "NAME"
+avc_open, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and teardown.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/avc.h>
+.sp
+.BI "int avc_open(struct selinux_opt *" options ", unsigned " nopt ");"
+.sp
+.BI "void avc_destroy(void);"
+.sp
+.BI "int avc_reset(void);"
+.sp
+.BI "void avc_cleanup(void);"
+.SH "DESCRIPTION"
+.B avc_open
+initializes the userspace AVC and must be called before any other AVC operation can be performed.
+
+.B avc_destroy
+destroys the userspace AVC, freeing all internal memory structures. After this call has been made,
+.B avc_open
+must be called again before any AVC operations can be performed.
+
+.B avc_reset
+flushes the userspace AVC, causing it to forget any cached access decisions. The userspace AVC normally calls this function automatically when needed, see
+.B NETLINK NOTIFICATION
+below.
+
+.B avc_cleanup
+forces the userspace AVC to search for and free all unused SID's and any access decision entries that refer to them. Normally, the userspace AVC lazily reclaims unused SID's.
+
+.SH "OPTIONS"
+The userspace AVC obeys callbacks set via
+.BR selinux_set_callback (3),
+in particular the logging and audit callbacks.
+
+The options which may be passed to
+.B avc_open
+include the following:
+
+.TP
+.B AVC_OPT_SETENFORCE
+This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise. The system enforcing mode will be ignored.
+
+.SH "NETLINK NOTIFICATION"
+Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
+.BR avc_has_perm (3)
+to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed.
+
+.SH "RETURN VALUE"
+Functions with a return value return zero on success. On error, \-1 is returned and
+.I errno
+is set appropriately.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR selinux (8),
+.BR avc_has_perm (3),
+.BR avc_context_to_sid (3),
+.BR avc_cache_stats (3),
+.BR avc_add_callback (3),
+.BR selinux_set_callback (3),
+.BR security_compute_av (3)
+
diff --git a/libselinux/man/man3/avc_reset.3 b/libselinux/man/man3/avc_reset.3
new file mode 100644
index 0000000..ca549ae
--- /dev/null
+++ b/libselinux/man/man3/avc_reset.3
@@ -0,0 +1 @@
+.so man3/avc_open.3
diff --git a/libselinux/man/man3/avc_sid_stats.3 b/libselinux/man/man3/avc_sid_stats.3
new file mode 100644
index 0000000..6732dc1
--- /dev/null
+++ b/libselinux/man/man3/avc_sid_stats.3
@@ -0,0 +1 @@
+.so man3/avc_cache_stats.3
diff --git a/libselinux/man/man3/avc_sid_to_context.3 b/libselinux/man/man3/avc_sid_to_context.3
new file mode 100644
index 0000000..d7c3e66
--- /dev/null
+++ b/libselinux/man/man3/avc_sid_to_context.3
@@ -0,0 +1 @@
+.so man3/avc_context_to_sid.3
diff --git a/libselinux/man/man3/checkPasswdAccess.3 b/libselinux/man/man3/checkPasswdAccess.3
new file mode 100644
index 0000000..a60bca4
--- /dev/null
+++ b/libselinux/man/man3/checkPasswdAccess.3
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/context_free.3 b/libselinux/man/man3/context_free.3
new file mode 100644
index 0000000..f4f03a6
--- /dev/null
+++ b/libselinux/man/man3/context_free.3
@@ -0,0 +1 @@
+.so man3/context_new.3
diff --git a/libselinux/man/man3/context_new.3 b/libselinux/man/man3/context_new.3
new file mode 100644
index 0000000..f36bd25
--- /dev/null
+++ b/libselinux/man/man3/context_new.3
@@ -0,0 +1,61 @@
+.TH "context_new" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API documentation"
+.SH "NAME"
+context_new, context_str, context_free, context_type_get, context_type_set, context_range_get, context_range_set,context_role_get, context_role_set, context_user_get, context_user_set \- Routines to manipulate SELinux security contexts
+
+.SH "SYNOPSIS"
+.B #include <selinux/context.h>
+
+.B "context_t context_new(const char *" context_str );
+
+.B "const char * context_str(context_t " con );
+
+.B "void context_free(context_t " con );
+
+.B "const char * context_type_get(context_t " con );
+
+.B "const char * context_range_get(context_t " con );
+
+.B "const char * context_role_get(context_t " con );
+
+.B "const char * context_user_get(context_t " con );
+
+.B "const char * context_type_set(context_t " con ", const char* " type);
+
+.B "const char * context_range_set(context_t " con ", const char* " range);
+
+.B "const char * context_role_set(context_t " con ", const char* " role );
+
+.B "const char * context_user_set(context_t " con ", const char* " user );
+
+.SH "DESCRIPTION"
+These functions allow an application to manipulate the fields of a
+security context string without requiring it to know the format of the
+string.
+
+context_new
+ Return a new context initialized to a context string
+
+context_str
+Return a pointer to the string value of the context_t
+Valid until the next call to context_str or context_free
+for the same context_t*
+
+context_free
+Free the storage used by a context
+
+context_type_get, context_range_get, context_role_get, context_user_get
+Get a pointer to the string value of a context component
+
+NOTE: Values returned by the get functions are only valid until the next call
+to a set function or context_free() for the same context_t structure.
+
+context_type_set, context_range_set, context_role_set, context_user_set
+Set a context component
+
+.SH "RETURN VALUE"
+On success, zero is returned. On failure, -1 is returned and errno is
+set appropriately.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
diff --git a/libselinux/man/man3/context_range_get.3 b/libselinux/man/man3/context_range_get.3
new file mode 100644
index 0000000..f4f03a6
--- /dev/null
+++ b/libselinux/man/man3/context_range_get.3
@@ -0,0 +1 @@
+.so man3/context_new.3
diff --git a/libselinux/man/man3/context_range_set.3 b/libselinux/man/man3/context_range_set.3
new file mode 100644
index 0000000..f4f03a6
--- /dev/null
+++ b/libselinux/man/man3/context_range_set.3
@@ -0,0 +1 @@
+.so man3/context_new.3
diff --git a/libselinux/man/man3/context_role_get.3 b/libselinux/man/man3/context_role_get.3
new file mode 100644
index 0000000..f4f03a6
--- /dev/null
+++ b/libselinux/man/man3/context_role_get.3
@@ -0,0 +1 @@
+.so man3/context_new.3
diff --git a/libselinux/man/man3/context_role_set.3 b/libselinux/man/man3/context_role_set.3
new file mode 100644
index 0000000..f4f03a6
--- /dev/null
+++ b/libselinux/man/man3/context_role_set.3
@@ -0,0 +1 @@
+.so man3/context_new.3
diff --git a/libselinux/man/man3/context_type_get.3 b/libselinux/man/man3/context_type_get.3
new file mode 100644
index 0000000..f4f03a6
--- /dev/null
+++ b/libselinux/man/man3/context_type_get.3
@@ -0,0 +1 @@
+.so man3/context_new.3
diff --git a/libselinux/man/man3/context_type_set.3 b/libselinux/man/man3/context_type_set.3
new file mode 100644
index 0000000..f4f03a6
--- /dev/null
+++ b/libselinux/man/man3/context_type_set.3
@@ -0,0 +1 @@
+.so man3/context_new.3
diff --git a/libselinux/man/man3/context_user_get.3 b/libselinux/man/man3/context_user_get.3
new file mode 100644
index 0000000..f4f03a6
--- /dev/null
+++ b/libselinux/man/man3/context_user_get.3
@@ -0,0 +1 @@
+.so man3/context_new.3
diff --git a/libselinux/man/man3/context_user_set.3 b/libselinux/man/man3/context_user_set.3
new file mode 100644
index 0000000..f4f03a6
--- /dev/null
+++ b/libselinux/man/man3/context_user_set.3
@@ -0,0 +1 @@
+.so man3/context_new.3
diff --git a/libselinux/man/man3/freecon.3 b/libselinux/man/man3/freecon.3
new file mode 100644
index 0000000..055ccc8
--- /dev/null
+++ b/libselinux/man/man3/freecon.3
@@ -0,0 +1,25 @@
+.TH "freecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+freecon, freeconary \- free memory associated with SELinux security contexts.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "void freecon(security_context_t "con );
+
+.BI "void freeconary(security_context_t *" con );
+
+.SH "DESCRIPTION"
+.B freecon
+frees the memory allocated for a security context.
+
+.B freeconary
+frees the memory allocated for a context array.
+
+If
+.I con
+is NULL, no operation is performed.
+
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
diff --git a/libselinux/man/man3/freeconary.3 b/libselinux/man/man3/freeconary.3
new file mode 100644
index 0000000..3420153
--- /dev/null
+++ b/libselinux/man/man3/freeconary.3
@@ -0,0 +1 @@
+.so man3/freecon.3
diff --git a/libselinux/man/man3/fsetfilecon.3 b/libselinux/man/man3/fsetfilecon.3
new file mode 100644
index 0000000..33c321a
--- /dev/null
+++ b/libselinux/man/man3/fsetfilecon.3
@@ -0,0 +1 @@
+.so man3/setfilecon.3
diff --git a/libselinux/man/man3/get_default_context.3 b/libselinux/man/man3/get_default_context.3
new file mode 100644
index 0000000..3fbfe0e
--- /dev/null
+++ b/libselinux/man/man3/get_default_context.3
@@ -0,0 +1 @@
+.so man3/get_ordered_context_list.3
diff --git a/libselinux/man/man3/get_default_context_with_level.3 b/libselinux/man/man3/get_default_context_with_level.3
new file mode 100644
index 0000000..3fbfe0e
--- /dev/null
+++ b/libselinux/man/man3/get_default_context_with_level.3
@@ -0,0 +1 @@
+.so man3/get_ordered_context_list.3
diff --git a/libselinux/man/man3/get_default_context_with_role.3 b/libselinux/man/man3/get_default_context_with_role.3
new file mode 100644
index 0000000..3fbfe0e
--- /dev/null
+++ b/libselinux/man/man3/get_default_context_with_role.3
@@ -0,0 +1 @@
+.so man3/get_ordered_context_list.3
diff --git a/libselinux/man/man3/get_default_context_with_rolelevel.3 b/libselinux/man/man3/get_default_context_with_rolelevel.3
new file mode 100644
index 0000000..3fbfe0e
--- /dev/null
+++ b/libselinux/man/man3/get_default_context_with_rolelevel.3
@@ -0,0 +1 @@
+.so man3/get_ordered_context_list.3
diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
new file mode 100644
index 0000000..c3fa956
--- /dev/null
+++ b/libselinux/man/man3/get_ordered_context_list.3
@@ -0,0 +1,80 @@
+.TH "get_ordered_context_list" "3" "1 January 2004" "russell@coker.com.au" "SELinux"
+.SH "NAME"
+get_ordered_context_list, get_ordered_context_list_with_level, get_default_context, get_default_context_with_level, get_default_context_with_role, get_default_context_with_rolelevel, query_user_context, manual_user_enter_context, get_default_role \- determine SELinux context(s) for user sessions
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/get_context_list.h>
+.sp
+.BI "int get_ordered_context_list(const char *" user ", security_context_t "fromcon ", security_context_t **" list );
+.sp
+.BI "int get_ordered_context_list_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t **" list );
+.sp
+.BI "int get_default_context(const char *" user ", security_context_t "fromcon ", security_context_t *" newcon );
+.sp
+.BI "int get_default_context_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t *" newcon );
+.sp
+.BI "int get_default_context_with_role(const char* " user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon ");
+.sp
+.BI "int get_default_context_with_rolelevel(const char* " user ", const char* " level ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon ");
+.sp
+.BI "int query_user_context(security_context_t *" list ", security_context_t *" newcon );
+.sp
+.BI "int manual_user_enter_context(const char *" user ", security_context_t *" newcon );
+.sp
+.BI "int get_default_type(const char *" role ", char **" type );
+
+.SH "DESCRIPTION"
+.B get_ordered_context_list
+invokes the
+.B security_compute_user
+function to obtain the list of contexts for the specified
+.I user
+that are reachable from the specified
+.I fromcon
+context. The function then orders the resulting list based on the global
+.B /etc/selinux/<SELINUXTYPE>/contexts/default_contexts
+file and the per-user
+.B /etc/selinux/<SELINUXTYPE>/contexts/users/<username>
+file if it exists. The
+.I fromcon
+parameter may be NULL to indicate that the current context should
+be used. The function returns the number of contexts in the
+list, or -1 upon errors. The list must be freed using the
+.B freeconary
+function.
+
+.B get_ordered_context_list_with_level
+invokes the get_ordered_context_list function and applies the specified level.
+
+.B get_default_context
+is the same as get_ordered_context_list but only returns a single context
+which has to be freed with freecon.
+
+.B get_default_context_with_level
+invokes the get_default_context function and applies the specified level.
+
+.B get_default_context_with_role
+is the same as get_default_context but only returns a context with the specified role, returning -1 if no such context is reachable for the user.
+
+.B get_default_context_with_rolelevel
+invokes the get_default_context_with_role function and applies the specified level.
+
+.B query_user_context
+takes a list of contexts, queries the user via stdin/stdout as to which context
+they want, and returns a new context as selected by the user (which has to be
+freed with freecon).
+
+.B manual_user_enter_context
+allows the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon.
+
+.B get_default_type
+Get the default type (domain) for 'role' and set 'type' to refer to it, which has to be freed with free.
+
+.SH "RETURN VALUE"
+get_ordered_context_list and get_ordered_context_list_with_level return the number of contexts in the list upon success or -1 upon errors.
+The other functions return 0 for success or -1 for errors.
+
+.SH "SEE ALSO"
+.BR selinux "(8), " freeconary "(3), " freecon "(3), " security_compute_av "(3)", getseuserbyname"(3)"
diff --git a/libselinux/man/man3/get_ordered_context_list_with_level.3 b/libselinux/man/man3/get_ordered_context_list_with_level.3
new file mode 100644
index 0000000..3fbfe0e
--- /dev/null
+++ b/libselinux/man/man3/get_ordered_context_list_with_level.3
@@ -0,0 +1 @@
+.so man3/get_ordered_context_list.3
diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3
new file mode 100644
index 0000000..2170795
--- /dev/null
+++ b/libselinux/man/man3/getcon.3
@@ -0,0 +1,62 @@
+.TH "getcon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+getcon, getprevcon, getpidcon \- get SELinux security context of a process.
+
+getpeercon - get security context of a peer socket.
+
+setcon - set current security context of a process.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int getcon(security_context_t *" context );
+
+.BI "int getprevcon(security_context_t *" context );
+
+.BI "int getpidcon(pid_t " pid ", security_context_t *" context );
+
+.BI "int getpeercon(int " fd ", security_context_t *" context);
+
+.BI "int setcon(security_context_t " context);
+
+.SH "DESCRIPTION"
+.B getcon
+retrieves the context of the current process, which must be free'd with
+freecon.
+
+.B getprevcon
+same as getcon but gets the context before the last exec.
+
+.B getpidcon
+returns the process context for the specified PID.
+
+.B getpeercon
+retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon.
+
+.B setcon
+sets the current security context of the process to a new value. Note
+that use of this function requires that the entire application be
+trusted to maintain any desired separation between the old and new
+security contexts, unlike exec-based transitions performed via
+setexeccon(3). When possible, decompose your applicaiton and use
+setexeccon() and execve() instead.
+
+Since access to file descriptors is revalidated upon use by SELinux,
+the new context must be explicitly authorized in the policy to use the
+descriptors opened by the old context if that is desired. Otherwise,
+attempts by the process to use any existing descriptors (including
+stdin, stdout, and stderr) after performing the setcon() will fail.
+
+A multi-threaded application can perform a setcon() prior to creating
+any child threads, in which case all of the child threads will inherit
+the new context. However, setcon() will fail if there are any other
+threads running in the same process.
+
+If the process was being ptraced at the time of the setcon()
+operation, ptrace permission will be revalidated against the new
+context and the setcon() will fail if it is not allowed by policy.
+
+.SH "RETURN VALUE"
+On error -1 is returned. On success 0 is returned.
+
+.SH "SEE ALSO"
+.BR selinux "(8), " freecon "(3), " setexeccon "(3)"
diff --git a/libselinux/man/man3/getexeccon.3 b/libselinux/man/man3/getexeccon.3
new file mode 100644
index 0000000..4b832a2
--- /dev/null
+++ b/libselinux/man/man3/getexeccon.3
@@ -0,0 +1,60 @@
+.TH "getexeccon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process.
+
+rpm_execcon \- run a helper for rpm in an appropriate security context
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int getexeccon(security_context_t *" context );
+
+.BI "int setexeccon(security_context_t "context );
+
+.BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]);
+
+.SH "DESCRIPTION"
+.B getexeccon
+retrieves the context used for executing a new process.
+This returned context should be freed with freecon if non-NULL.
+getexeccon sets *con to NULL if no exec context has been explicitly
+set by the program (i.e. using the default policy behavior).
+
+.B setexeccon
+sets the context used for the next execve call.
+NULL can be passed to
+setexeccon to reset to the default policy behavior.
+The exec context is automatically reset after the next execve, so a
+program doesn't need to explicitly sanitize it upon startup.
+
+
+setexeccon can be applied prior to library
+functions that internally perform an execve, e.g. execl*, execv*, popen,
+in order to set an exec context for that operation.
+
+
+Note: Signal handlers that perform an execve must take care to
+save, reset, and restore the exec context to avoid unexpected behavior.
+
+
+.B rpm_execcon
+runs a helper for rpm in an appropriate security context. The
+verified parameter should contain the return code from the signature
+verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 ==
+nottrusted, 4 == nokey), although this information is not yet used by
+the function. The function determines the proper security context for
+the helper based on policy, sets the exec context accordingly, and
+then executes the specified filename with the provided argument and
+environment arrays.
+
+
+.SH "RETURN VALUE"
+On error -1 is returned.
+
+On success getexeccon and setexeccon returns 0.
+rpm_execcon only returns upon errors, as it calls execve(2).
+
+.SH "SEE ALSO"
+.BR selinux "(8), " freecon "(3), " getcon "(3)"
+
+
diff --git a/libselinux/man/man3/getfilecon.3 b/libselinux/man/man3/getfilecon.3
new file mode 100644
index 0000000..61b216f
--- /dev/null
+++ b/libselinux/man/man3/getfilecon.3
@@ -0,0 +1,42 @@
+.TH "getfilecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+getfilecon, fgetfilecon, lgetfilecon \- get SELinux security context of a file
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int getfilecon(const char *" path ", security_context_t *" con );
+
+.BI "int lgetfilecon(const char *" path ", security_context_t *" con );
+
+.BI "int fgetfilecon(int "fd ", security_context_t *" con );
+.SH "DESCRIPTION"
+.B getfilecon
+retrieves the context associated with the given path in the file system, the
+length of the context is returned.
+
+.B lgetfilecon
+is identical to getfilecon, except in the case of a symbolic link, where the
+link itself is interrogated, not the file that it refers to.
+
+.B fgetfilecon
+is identical to getfilecon, only the open file pointed to by filedes (as
+returned by open(2)) is interrogated in place of path.
+
+
+The returned context should be freed with freecon if non-NULL.
+.SH "RETURN VALUE"
+On success, a positive number is returned indicating the size of the
+extended attribute value. On failure, \-1 is returned and errno is set
+appropriately.
+
+If the context does not exist, or the process has no access to
+this attribute, errno is set to ENODATA.
+
+If extended attributes are not supported by the filesystem, or are dis\-
+abled, errno is set to ENOTSUP.
+
+The errors documented for the stat(2) system call are also applicable
+here.
+
+.SH "SEE ALSO"
+.BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff --git a/libselinux/man/man3/getfscreatecon.3 b/libselinux/man/man3/getfscreatecon.3
new file mode 100644
index 0000000..474aa28
--- /dev/null
+++ b/libselinux/man/man3/getfscreatecon.3
@@ -0,0 +1,38 @@
+.TH "getfscreatecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+getfscreatecon, setfscreatecon \- get or set the SELinux security context used for creating a new file system object.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int getfscreatecon(security_context_t *" con );
+
+.BI "int setfscreatecon(security_context_t "context );
+
+.SH "DESCRIPTION"
+.B getfscreatecon
+retrieves the context used for creating a new file system object.
+This returned context should be freed with freecon if non-NULL.
+getfscreatecon sets *con to NULL if no fscreate context has been explicitly
+set by the program (i.e. using the default policy behavior).
+
+.B setfscreatecon
+sets the context used for creating a new file system object.
+NULL can be passed to
+setfscreatecon to reset to the default policy behavior.
+The fscreate context is automatically reset after the next execve, so a
+program doesn't need to explicitly sanitize it upon startup.
+
+setfscreatecon can be applied prior to library
+functions that internally perform an file creation,
+in order to set an file context on the objects.
+
+
+Note: Signal handlers that perform an setfscreate must take care to
+save, reset, and restore the fscreate context to avoid unexpected behavior.
+.SH "RETURN VALUE"
+On error -1 is returned.
+On success 0 is returned.
+
+.SH "SEE ALSO"
+.BR selinux "(8), " freecon "(3), " getcon "(3), " getexeccon "(3)"
diff --git a/libselinux/man/man3/getpeercon.3 b/libselinux/man/man3/getpeercon.3
new file mode 100644
index 0000000..1210b5a
--- /dev/null
+++ b/libselinux/man/man3/getpeercon.3
@@ -0,0 +1 @@
+.so man3/getcon.3
diff --git a/libselinux/man/man3/getpidcon.3 b/libselinux/man/man3/getpidcon.3
new file mode 100644
index 0000000..1210b5a
--- /dev/null
+++ b/libselinux/man/man3/getpidcon.3
@@ -0,0 +1 @@
+.so man3/getcon.3
diff --git a/libselinux/man/man3/getprevcon.3 b/libselinux/man/man3/getprevcon.3
new file mode 100644
index 0000000..1210b5a
--- /dev/null
+++ b/libselinux/man/man3/getprevcon.3
@@ -0,0 +1 @@
+.so man3/getcon.3
diff --git a/libselinux/man/man3/getseuserbyname.3 b/libselinux/man/man3/getseuserbyname.3
new file mode 100644
index 0000000..1630356
--- /dev/null
+++ b/libselinux/man/man3/getseuserbyname.3
@@ -0,0 +1,28 @@
+.TH "getseuserbyname" "3" "29 September 2005" "dwalsh@redhat.com" "SELinux API documentation"
+.SH "NAME"
+getseuserbyname \- get SELinux username and level for a given Linux username
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int getseuserbyname(const char *" linuxuser ", char **" selinuxuser ", char **" level ");
+.SH "DESCRIPTION"
+.B getseuserbyname
+retrieves the SELinux username and security level associated with
+a given Linux username. The SELinux username and security level can
+then be passed to other libselinux functions such as
+get_ordered_context_list_with_level and get_default_context_with_level.
+
+
+
+The returned SELinux username and level should be freed by the caller
+using free.
+.SH "RETURN VALUE"
+On success, 0 is returned.
+On failure, \-1 is returned and errno is set appropriately.
+
+The errors documented for the stat(2) system call are also applicable
+here.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
diff --git a/libselinux/man/man3/is_context_customizable.3 b/libselinux/man/man3/is_context_customizable.3
new file mode 100644
index 0000000..d230ace
--- /dev/null
+++ b/libselinux/man/man3/is_context_customizable.3
@@ -0,0 +1,25 @@
+.TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation"
+.SH "NAME"
+is_context_customizable \- check whether SELinux context type is customizable by the administrator.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.B int is_context_customizable(security_context_t scon);
+
+.SH "DESCRIPTION"
+.B is_context_customizable
+
+This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file. A customizable type is a file context type that
+administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place.
+
+
+.SH "RETURN VALUE"
+returns 1 if security context is customizable or 0 if it is not.
+returns -1 on error
+
+.SH "FILE"
+/etc/selinux/SELINUXTYPE/context/customizable_types
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
diff --git a/libselinux/man/man3/is_selinux_enabled.3 b/libselinux/man/man3/is_selinux_enabled.3
new file mode 100644
index 0000000..025aad6
--- /dev/null
+++ b/libselinux/man/man3/is_selinux_enabled.3
@@ -0,0 +1,15 @@
+.TH "is_selinux_enabled" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+is_selinux_enabled \- check whether SELinux is enabled
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.B int is_selinux_enabled();
+
+.SH "DESCRIPTION"
+.B is_selinux_enabled
+returns 1 if SELinux is running or 0 if it is not. May change soon.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
diff --git a/libselinux/man/man3/lsetfilecon.3 b/libselinux/man/man3/lsetfilecon.3
new file mode 100644
index 0000000..33c321a
--- /dev/null
+++ b/libselinux/man/man3/lsetfilecon.3
@@ -0,0 +1 @@
+.so man3/setfilecon.3
diff --git a/libselinux/man/man3/manual_user_enter_context.3 b/libselinux/man/man3/manual_user_enter_context.3
new file mode 100644
index 0000000..3fbfe0e
--- /dev/null
+++ b/libselinux/man/man3/manual_user_enter_context.3
@@ -0,0 +1 @@
+.so man3/get_ordered_context_list.3
diff --git a/libselinux/man/man3/matchmediacon.3 b/libselinux/man/man3/matchmediacon.3
new file mode 100644
index 0000000..1a3a561
--- /dev/null
+++ b/libselinux/man/man3/matchmediacon.3
@@ -0,0 +1,26 @@
+.TH "matchmediacon" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API documentation"
+.SH "NAME"
+matchmediacon \- get the default SELinux security context for the specified mediatype from the policy.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int matchmediacon(const char *" media ", security_context_t *" con);"
+
+
+.SH "DESCRIPTION"
+
+.B matchmediacon
+matches the specified media type with the media contexts configuration and sets the security context "con" to refer to the resulting context.
+.sp
+
+.B Note:
+ Caller must free returned security context "con" using freecon.
+.SH "RETURN VALUE"
+Returns 0 on success or -1 otherwise.
+
+.SH Files
+/etc/selinux/POLICYTYPE/contexts/files/media
+
+.SH "SEE ALSO"
+.BR selinux "(8), " freecon "(3)
diff --git a/libselinux/man/man3/matchpathcon.3 b/libselinux/man/man3/matchpathcon.3
new file mode 100644
index 0000000..2b1471c
--- /dev/null
+++ b/libselinux/man/man3/matchpathcon.3
@@ -0,0 +1,120 @@
+.TH "matchpathcon" "3" "16 March 2005" "sds@tycho.nsa.gov" "SELinux API documentation"
+.SH "NAME"
+matchpathcon \- get the default SELinux security context for the specified path from the file contexts configuration.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int matchpathcon_init(const char *" path ");"
+
+.BI "int matchpathcon_fini(void);"
+
+.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con);
+.sp
+
+.BI "void set_matchpathcon_printf(void (*" f ")(const char *" fmt ", ...));"
+
+.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *"path ", unsigned " lineno ", char * " context "));"
+
+.BI "void set_matchpathcon_flags(unsigned int " flags ");"
+
+.SH "DESCRIPTION"
+.B matchpathcon_init
+loads the file contexts configuration specified by
+.I path
+into memory for use by subsequent
+.B matchpathcon
+calls. If
+.I path
+is NULL, then the active file contexts configuration is loaded by default,
+i.e. the path returned by
+.B selinux_file_context_path(3).
+Unless the
+.B MATCHPATHCON_BASEONLY
+flag has been set via
+.B set_matchpathcon_flags,
+files with the same path prefix but a
+.B .homedirs
+and
+.B .local
+suffix are also looked up and loaded if present. These files provide
+dynamically generated entries for user home directories and for local
+customizations.
+
+.sp
+.B matchpathcon_fini
+frees the memory allocated by a prior call to
+.B matchpathcon_init.
+This function can be used to free and reset the internal state between multiple
+.B matchpathcon_init
+calls, or to free memory when finished using
+.B matchpathcon.
+
+.sp
+.B matchpathcon
+matches the specified pathname and mode against the file contexts
+configuration and sets the security context
+.I con
+to refer to the
+resulting context. The caller must free the returned security context
+.I con
+using freecon when finished using it.
+.I mode
+can be 0 to disable mode matching, but
+should be provided whenever possible, as it may affect the matching.
+Only the file format bits (i.e. the file type) of the
+.I mode
+are used.
+If
+.B matchpathcon_init
+has not already been called, then this function will call it upon
+its first invocation with a NULL
+.I path,
+defaulting to the active file contexts configuration.
+.sp
+
+.B set_matchpathcon_printf
+sets the function used by
+.B matchpathcon_init
+when displaying errors about the file contexts configuration. If not set,
+then this defaults to fprintf(stderr, fmt, ...). This can be set to redirect
+error reporting to a different destination.
+
+.sp
+.B set_matchpathcon_invalidcon
+sets the function used by
+.B matchpathcon_init
+when checking the validity of a context in the file contexts
+configuration. If not set, then this defaults to a test based
+on
+.B security_check_context(3),
+which checks validity against the active policy on a SELinux system.
+This can be set to instead perform checking based on a binary policy file,
+e.g. using
+.B sepol_check_context(3),
+as is done by
+.B setfiles -c.
+The function is also responsible for reporting any such error, and
+may include the
+.I path
+and
+.I lineno
+in such error messages.
+
+.sp
+.B set_matchpathcon_flags
+sets flags controlling the operation of
+.B matchpathcon_init
+or
+.B matchpathcon.
+If the
+.B MATCHPATHCON_BASEONLY
+flag is set, then only the base file contexts configuration file
+will be processed, not any dynamically generated entries or local customizations.
+
+.sp
+.SH "RETURN VALUE"
+Returns 0 on success or -1 otherwise.
+
+.SH "SEE ALSO"
+.BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff --git a/libselinux/man/man3/query_user_context.3 b/libselinux/man/man3/query_user_context.3
new file mode 100644
index 0000000..3fbfe0e
--- /dev/null
+++ b/libselinux/man/man3/query_user_context.3
@@ -0,0 +1 @@
+.so man3/get_ordered_context_list.3
diff --git a/libselinux/man/man3/rpm_execcon.3 b/libselinux/man/man3/rpm_execcon.3
new file mode 100644
index 0000000..b2e6ab8
--- /dev/null
+++ b/libselinux/man/man3/rpm_execcon.3
@@ -0,0 +1 @@
+.so man3/getexeccon.3
diff --git a/libselinux/man/man3/security_av_perm_to_string.3 b/libselinux/man/man3/security_av_perm_to_string.3
new file mode 100644
index 0000000..bda9daf
--- /dev/null
+++ b/libselinux/man/man3/security_av_perm_to_string.3
@@ -0,0 +1 @@
+.so man3/security_class_to_string.3
diff --git a/libselinux/man/man3/security_av_string.3 b/libselinux/man/man3/security_av_string.3
new file mode 100644
index 0000000..bda9daf
--- /dev/null
+++ b/libselinux/man/man3/security_av_string.3
@@ -0,0 +1 @@
+.so man3/security_class_to_string.3
diff --git a/libselinux/man/man3/security_check_context.3 b/libselinux/man/man3/security_check_context.3
new file mode 100644
index 0000000..af55f06
--- /dev/null
+++ b/libselinux/man/man3/security_check_context.3
@@ -0,0 +1,16 @@
+.TH "security_check_context" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+security_check_context \- check the validity of a SELinux context
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int security_check_context(security_context_t "con );
+
+.SH "DESCRIPTION"
+.B security_check_context
+returns 0 if SELinux is running and the context is valid, otherwise it
+returns -1.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
diff --git a/libselinux/man/man3/security_class_to_string.3 b/libselinux/man/man3/security_class_to_string.3
new file mode 100644
index 0000000..41788e9
--- /dev/null
+++ b/libselinux/man/man3/security_class_to_string.3
@@ -0,0 +1,80 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
+.TH "security_class_to_string" "3" "30 Mar 2007" "" "SELinux API documentation"
+.SH "NAME"
+security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string \- convert
+between SELinux class and permission values and string names.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/flask.h>
+.sp
+.BI "const char * security_class_to_string(security_class_t " tclass ");"
+.sp
+.BI "const char * security_av_perm_to_string(security_class_t " tclass ", access_vector_t " av ");"
+.sp
+.BI "int security_av_string(security_class_t " tclass ", access_vector_t " av ", char **" result ");"
+.sp
+.BI "security_class_t string_to_security_class(const char *" name ");"
+.sp
+.BI "access_vector_t string_to_av_perm(security_class_t " tclass ", const char *" name ");"
+
+.SH "DESCRIPTION"
+.B security_class_to_string
+returns a string name for class
+.IR tclass ,
+or NULL if the class is invalid. The returned string must not be modified or freed.
+
+.B security_av_perm_to_string
+returns a string name for the access vector bit
+.I av
+of class
+.IR tclass ,
+or NULL if either argument is invalid. The returned string must not be modified or freed.
+
+.B security_av_string
+computes a full access vector string representation using
+.I tclass
+and
+.IR av ,
+which may have multiple bits set. The string is returned in the memory pointed to by
+.IR result ,
+and should be freed by the caller using
+.BR free (3).
+
+.B string_to_security_class
+returns the class value corresponding to the string name
+.IR name ,
+or zero if no such class exists.
+
+.B string_to_av_perm
+returns the access vector bit corresponding to the string name
+.I name
+and security class
+.IR tclass ,
+or zero if no such value exists.
+
+.SH "RETURN VALUE"
+.B security_av_string
+returns returns zero on success or \-1 on error with
+.I errno
+set appropriately. All other functions return zero or NULL on error.
+
+.SH "ERRORS"
+.TP
+.B EINVAL
+A class or access vector argument is not recognized by the currently loaded policy.
+
+.TP
+.B ENOMEM
+An attempt to allocate memory failed.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR selinux (8),
+.BR getcon (3),
+.BR getfilecon (3)
diff --git a/libselinux/man/man3/security_commit_booleans.3 b/libselinux/man/man3/security_commit_booleans.3
new file mode 100644
index 0000000..29731ef
--- /dev/null
+++ b/libselinux/man/man3/security_commit_booleans.3
@@ -0,0 +1 @@
+.so man3/security_load_booleans.3
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
new file mode 100644
index 0000000..885719f
--- /dev/null
+++ b/libselinux/man/man3/security_compute_av.3
@@ -0,0 +1,68 @@
+.TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+security_compute_av, security_compute_create, security_compute_relabel,
+security_compute_member, security_compute_user, security_get_initial_context \- query
+the SELinux policy database in the kernel.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/flask.h>
+.sp
+.BI "int security_compute_av(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd );
+.sp
+.BI "int security_compute_create(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon );
+.sp
+.BI "int security_compute_relabel(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon );
+.sp
+.BI "int security_compute_member(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon );
+.sp
+.BI "int security_compute_user(security_context_t "scon ", const char *" username ", security_context_t **" con );
+.sp
+.BI "int security_get_initial_context(const char *" name ", security_context_t
+"con );
+.sp
+.BI "int checkPasswdAccess(access_vector_t " requested );
+
+.SH "DESCRIPTION"
+.B security_compute_av
+queries whether the policy permits the source context
+.B scon
+to access the target context
+.B tcon
+via class
+.B tclass
+with the
+.B requested
+access vector. See the cron source for a usage example.
+
+.B security_compute_create
+is used to compute a context to use for labeling a new object in a particular
+class based on a SID pair.
+
+.B security_compute_relabel
+is used to compute the new context to use when relabeling an object, it is used
+in the pam_selinux.so source and the newrole source to determine the correct
+label for the tty at login time, but can be used for other things.
+
+.B security_compute_member
+is used to compute the context to use when labeling a polyinstantiated object
+instance.
+
+.B security_compute_user
+is used to determine the set of user contexts that can be reached from a
+source context. Is mainly used by
+.B get_ordered_context_list.
+
+.B security_get_initial_context
+is used to get the context of a kernel initial security identifier specified by
+.I name
+
+.B checkPasswdAccess
+This functions is a helper functions that allows you to check for a permission in the passwd class. checkPasswdAccess uses getprevcon() for the source and target security contexts.
+
+.SH "RETURN VALUE"
+0 for success and on error -1 is returned.
+
+.SH "SEE ALSO"
+.BR selinux "(8), " getcon "(3), " getfilecon "(3), " get_ordered_context_list "(3)"
diff --git a/libselinux/man/man3/security_compute_create.3 b/libselinux/man/man3/security_compute_create.3
new file mode 100644
index 0000000..a60bca4
--- /dev/null
+++ b/libselinux/man/man3/security_compute_create.3
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/security_compute_member.3 b/libselinux/man/man3/security_compute_member.3
new file mode 100644
index 0000000..a60bca4
--- /dev/null
+++ b/libselinux/man/man3/security_compute_member.3
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/security_compute_relabel.3 b/libselinux/man/man3/security_compute_relabel.3
new file mode 100644
index 0000000..a60bca4
--- /dev/null
+++ b/libselinux/man/man3/security_compute_relabel.3
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/security_compute_user.3 b/libselinux/man/man3/security_compute_user.3
new file mode 100644
index 0000000..a60bca4
--- /dev/null
+++ b/libselinux/man/man3/security_compute_user.3
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/security_get_boolean_active.3 b/libselinux/man/man3/security_get_boolean_active.3
new file mode 100644
index 0000000..29731ef
--- /dev/null
+++ b/libselinux/man/man3/security_get_boolean_active.3
@@ -0,0 +1 @@
+.so man3/security_load_booleans.3
diff --git a/libselinux/man/man3/security_get_boolean_names.3 b/libselinux/man/man3/security_get_boolean_names.3
new file mode 100644
index 0000000..29731ef
--- /dev/null
+++ b/libselinux/man/man3/security_get_boolean_names.3
@@ -0,0 +1 @@
+.so man3/security_load_booleans.3
diff --git a/libselinux/man/man3/security_get_boolean_pending.3 b/libselinux/man/man3/security_get_boolean_pending.3
new file mode 100644
index 0000000..29731ef
--- /dev/null
+++ b/libselinux/man/man3/security_get_boolean_pending.3
@@ -0,0 +1 @@
+.so man3/security_load_booleans.3
diff --git a/libselinux/man/man3/security_get_initial_context.3 b/libselinux/man/man3/security_get_initial_context.3
new file mode 100644
index 0000000..a60bca4
--- /dev/null
+++ b/libselinux/man/man3/security_get_initial_context.3
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/security_getenforce.3 b/libselinux/man/man3/security_getenforce.3
new file mode 100644
index 0000000..5d65574
--- /dev/null
+++ b/libselinux/man/man3/security_getenforce.3
@@ -0,0 +1,23 @@
+.TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+security_getenforce, security_setenforce \- get or set the enforcing state of SELinux
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.B int security_getenforce();
+
+.BI "int security_setenforce(int "value );
+
+.SH "DESCRIPTION"
+.B security_getenforce
+returns 0 if SELinux is running in permissive mode, 1 if it is running in
+enforcing mode, and -1 on error.
+
+.B security_setenforce
+sets SELinux to enforcing mode if the value 1 is passed in, and sets it to
+permissive mode if 0 is passed in. On success 0 is returned, on error -1 is
+returned.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
diff --git a/libselinux/man/man3/security_load_booleans.3 b/libselinux/man/man3/security_load_booleans.3
new file mode 100644
index 0000000..c7057a1
--- /dev/null
+++ b/libselinux/man/man3/security_load_booleans.3
@@ -0,0 +1,59 @@
+.TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"
+.SH "NAME"
+security_load_booleans, security_set_boolean, security_commit_booleans,
+security_get_boolean_names, security_get_boolean_active,
+security_get_boolean_pending \- routines for manipulating SELinux boolean values
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+extern int security_load_booleans(char *path);
+
+extern int security_get_boolean_names(char ***names, int *len);
+
+extern int security_get_boolean_pending(const char *name);
+
+extern int security_get_boolean_active(const char *name);
+
+extern int security_set_boolean(const char *name, int value);
+
+extern int security_commit_booleans(void);
+
+
+.SH "DESCRIPTION"
+
+The SELinux policy can include conditional rules that are enabled or
+disabled based on the current values of a set of policy booleans.
+These policy booleans allow runtime modification of the security
+policy without having to load a new policy.
+
+The SELinux API allows for a transaction based update. So you can set several boolean values and the commit them all at once.
+
+security_load_booleans
+
+Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file.
+
+security_get_boolean_names
+
+Returns a list of boolean names, currently supported by the loaded policy.
+
+security_set_boolean
+
+Sets the pending value for boolean
+
+security_get_boolean_pending
+
+Return pending value for boolean
+
+security_get_boolean_active
+
+Return active value for boolean
+
+security_commit_booleans
+
+Commit all pending values for the booleans.
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), getsebool(8), booleans(8), togglesebool(8)
diff --git a/libselinux/man/man3/security_load_policy.3 b/libselinux/man/man3/security_load_policy.3
new file mode 100644
index 0000000..77c3eec
--- /dev/null
+++ b/libselinux/man/man3/security_load_policy.3
@@ -0,0 +1,15 @@
+.TH "security_load_policy" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+security_load_policy \- load a new SELinux policy
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int security_load_policy(void *" data ", size_t "len );
+
+.SH "DESCRIPTION"
+.B security_load_policy
+loads a new policy, returns 0 for success and -1 for error.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
diff --git a/libselinux/man/man3/security_policyvers.3 b/libselinux/man/man3/security_policyvers.3
new file mode 100644
index 0000000..9e5dfd2
--- /dev/null
+++ b/libselinux/man/man3/security_policyvers.3
@@ -0,0 +1,16 @@
+.TH "security_policyvers" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+security_policyvers \- get the version of the SELinux policy
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.B int security_policyvers();
+
+.SH "DESCRIPTION"
+.B security_policyvers
+returns the version of the policy (a positive integer) on success, or -1 on
+error.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
diff --git a/libselinux/man/man3/security_set_boolean.3 b/libselinux/man/man3/security_set_boolean.3
new file mode 100644
index 0000000..29731ef
--- /dev/null
+++ b/libselinux/man/man3/security_set_boolean.3
@@ -0,0 +1 @@
+.so man3/security_load_booleans.3
diff --git a/libselinux/man/man3/security_setenforce.3 b/libselinux/man/man3/security_setenforce.3
new file mode 100644
index 0000000..24bca10
--- /dev/null
+++ b/libselinux/man/man3/security_setenforce.3
@@ -0,0 +1 @@
+.so security_getenforce.3
diff --git a/libselinux/man/man3/selabel_close.3 b/libselinux/man/man3/selabel_close.3
new file mode 100644
index 0000000..468fdaf
--- /dev/null
+++ b/libselinux/man/man3/selabel_close.3
@@ -0,0 +1 @@
+.so man3/selabel_open.3
diff --git a/libselinux/man/man3/selabel_lookup.3 b/libselinux/man/man3/selabel_lookup.3
new file mode 100644
index 0000000..ab792bb
--- /dev/null
+++ b/libselinux/man/man3/selabel_lookup.3
@@ -0,0 +1,78 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
+.TH "selabel_lookup" "3" "18 Jun 2007" "" "SELinux API documentation"
+.SH "NAME"
+selabel_lookup \- obtain SELinux security context from a string label.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/label.h>
+.sp
+.BI "int selabel_lookup(struct selabel_handle *" hnd ,
+.in +\w'int selabel_lookup('u
+.BI "security_context_t *" context ,
+
+.BI "const char *" key ", int " type ");"
+.in
+.sp
+.BI "int selabel_lookup_raw(struct selabel_handle *" hnd ,
+.in +\w'int selabel_lookup_raw('u
+.BI "security_context_t *" context ,
+
+.BI "const char *" key ", int " type ");"
+
+.SH "DESCRIPTION"
+.B selabel_lookup
+performs a lookup operation on the handle
+.IR hnd ,
+returning the result in the memory pointed to by
+.IR context ,
+which must be freed by the caller using
+.BR freecon (3).
+The
+.I key
+and
+.I type
+parameters are the inputs to the lookup operation and are interpreted according to the specific backend that
+.I handle
+is open on.
+
+.B selabel_lookup_raw
+behaves identically to
+.B selabel_lookup
+but does not perform context translation.
+
+.SH "RETURN VALUE"
+On success, zero is returned. On error, \-1 is returned and
+.I errno
+is set appropriately.
+
+.SH "ERRORS"
+.TP
+.B ENOENT
+No context corresponding to the input
+.I key
+and
+.I type
+was found.
+.TP
+.B EINVAL
+The
+.I key
+and/or
+.I type
+inputs are invalid, or the context being returned failed validation.
+.TP
+.B ENOMEM
+An attempt to allocate memory failed.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR selabel_open (3),
+.BR selabel_stats (3),
+.BR selinux_set_callback (3),
+.BR selinux (8)
+
diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
new file mode 100644
index 0000000..1af2ec0
--- /dev/null
+++ b/libselinux/man/man3/selabel_open.3
@@ -0,0 +1,98 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
+.TH "selabel_open" "3" "18 Jun 2007" "" "SELinux API documentation"
+.SH "NAME"
+selabel_open, selabel_close \- userspace SELinux labeling interface.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/label.h>
+.sp
+.BI "struct selabel_handle *selabel_open(int " backend ,
+.in +\w'struct selabel_handle *selabel_open('u
+.BI "struct selinux_opt *" options ,
+
+.BI "unsigned " nopt ");"
+.in
+.sp
+.BI "void selabel_close(struct selabel_handle *" hnd ");"
+
+.SH "DESCRIPTION"
+.B selabel_open
+is used to initialize a labeling handle to be used for lookup operations. The
+.I backend
+argument specifies which backend is to be opened; the list of current backends appears in
+.B BACKENDS
+below.
+
+The
+.I options
+argument should be NULL or a pointer to an array of
+.B selinux_opt
+structures of length
+.IR nopt :
+
+.RS
+.ta 4n 16n 24n
+.nf
+struct selinux_opt {
+ int type;
+ const char *value;
+};
+.fi
+.ta
+.RE
+
+The available option types are described in
+.B GLOBAL OPTIONS
+below as well as in the documentation for each individual backend. The return value on success is a non-NULL value for use in subsequent label operations.
+
+.B selabel_close
+terminates use of a handle, freeing any internal resources associated with it. After this call has been made, the handle must not be used again.
+
+.SH "GLOBAL OPTIONS"
+Global options which may be passed to
+.B selabel_open
+include the following:
+
+.TP
+.B SELABEL_OPT_UNUSED
+The option with a type code of zero is a no-op. Thus an array of options may be initizalized to zero and any untouched elements will not cause an error.
+.TP
+.B SELABEL_OPT_VALIDATE
+A non-null value for this option enables context validation. By default,
+.BR security_check_context (3)
+is used; a custom validation function can be provided via
+.BR selinux_set_callback (3).
+Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
+
+.SH "BACKENDS"
+
+.TP
+.B SELABEL_CTX_FILE
+File contexts backend, described in
+.BR selabel_file (3).
+.TP
+.B SELABEL_CTX_MEDIA
+Media contexts backend, described in
+.BR selabel_media (3).
+.TP
+.B SELABEL_CTX_X
+X Windows contexts backend, described in
+.BR selabel_x (3).
+
+.SH "RETURN VALUE"
+A non-NULL handle value is returned on success. On error, NULL is returned and
+.I errno
+is set appropriately.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR selabel_lookup (3),
+.BR selabel_stats (3),
+.BR selinux_set_callback (3),
+.BR selinux (8)
+
diff --git a/libselinux/man/man3/selabel_stats.3 b/libselinux/man/man3/selabel_stats.3
new file mode 100644
index 0000000..441f422
--- /dev/null
+++ b/libselinux/man/man3/selabel_stats.3
@@ -0,0 +1,35 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
+.TH "selabel_stats" "3" "18 Jun 2007" "" "SELinux API documentation"
+.SH "NAME"
+selabel_stats \- obtain SELinux labeling statistics.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/label.h>
+.sp
+.BI "void selabel_lookup(struct selabel_handle *" hnd ");"
+
+.SH "DESCRIPTION"
+.B selabel_stats
+causes zero or more messages to be printed containing backend-specific information about number of queries performed, number of unused entries, or other operational information.
+
+The messages are printed to standard error by default; a custom logging function can be provided via
+.BR selinux_set_callback (3).
+
+.SH "RETURN VALUE"
+None.
+
+.SH "ERRORS"
+None.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR selabel_open (3),
+.BR selabel_lookup (3),
+.BR selinux_set_callback (3),
+.BR selinux (8)
+
diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3
new file mode 100644
index 0000000..f6ceff9
--- /dev/null
+++ b/libselinux/man/man3/selinux_binary_policy_path.3
@@ -0,0 +1,70 @@
+.TH "selinux_binary_policy_path" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"
+.SH "NAME"
+selinux_policy_root, selinux_binary_policy_path,
+selinux_failsafe_context_path, selinux_removable_context_path,
+selinux_default_context_path, selinux_user_contexts_path,
+selinux_file_context_path, selinux_media_context_path,
+selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active SELinux policy configuration
+directories and files.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+
+extern const char *selinux_policy_root(void);
+
+extern const char *selinux_binary_policy_path(void);
+
+extern const char *selinux_failsafe_context_path(void);
+
+extern const char *selinux_removable_context_path(void);
+
+extern const char *selinux_default_context_path(void);
+
+extern const char *selinux_user_contexts_path(void);
+
+extern const char *selinux_file_context_path(void);
+
+extern const char *selinux_media_context_path(void);
+
+extern const char *selinux_securetty_types_path(void);
+
+extern const char *selinux_contexts_path(void);
+
+extern const char *selinux_booleans_path(void);
+
+
+.SH "DESCRIPTION"
+
+These functions return the paths to the active policy configuration
+directories and files based on the settings in /etc/selinux/config.
+
+.sp
+selinux_policy_root() - top-level policy directory
+.sp
+selinux_binary_policy_path() - binary policy file loaded into kernel
+.sp
+selinux_failsafe_context_path() - failsafe context for emergency logins
+.sp
+selinux_removable_context_path() - filesystem context for removable media
+.sp
+selinux_default_context_path() - system-wide default contexts for user sessions
+.sp
+selinux_user_contexts_path() - directory containing per-user default contexts
+.sp
+selinux_file_context_path() - file contexts configuration
+.sp
+selinux_media_context_path() - file contexts for media device nodes
+.sp
+selinux_contexts_path() - directory containing all of the context configuration files
+.sp
+selinux_securetty_types_path() - defines tty types for newrole securettys
+.sp
+selinux_booleans_path() - initial policy boolean settings
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
diff --git a/libselinux/man/man3/selinux_booleans_path.3 b/libselinux/man/man3/selinux_booleans_path.3
new file mode 100644
index 0000000..175a611
--- /dev/null
+++ b/libselinux/man/man3/selinux_booleans_path.3
@@ -0,0 +1 @@
+.so man3/selinux_binary_policy_path.3
diff --git a/libselinux/man/man3/selinux_check_securetty_context.3 b/libselinux/man/man3/selinux_check_securetty_context.3
new file mode 100644
index 0000000..65a10d3
--- /dev/null
+++ b/libselinux/man/man3/selinux_check_securetty_context.3
@@ -0,0 +1,16 @@
+.TH "selinux_check_securetty_context" "3" "1 January 2007" "dwalsh@redhat.com" "SELinux API documentation"
+.SH "NAME"
+selinux_check_securetty_context \- check whether a SELinux tty security context is defined as a securetty context
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int selinux_check_securetty_context(security_context_t "tty_context );
+
+.SH "DESCRIPTION"
+.B selinux_check_securetty_context
+returns 0 if tty_context is a securetty context
+returns < 0 otherwise.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
diff --git a/libselinux/man/man3/selinux_contexts_path.3 b/libselinux/man/man3/selinux_contexts_path.3
new file mode 100644
index 0000000..175a611
--- /dev/null
+++ b/libselinux/man/man3/selinux_contexts_path.3
@@ -0,0 +1 @@
+.so man3/selinux_binary_policy_path.3
diff --git a/libselinux/man/man3/selinux_default_context_path.3 b/libselinux/man/man3/selinux_default_context_path.3
new file mode 100644
index 0000000..175a611
--- /dev/null
+++ b/libselinux/man/man3/selinux_default_context_path.3
@@ -0,0 +1 @@
+.so man3/selinux_binary_policy_path.3
diff --git a/libselinux/man/man3/selinux_failsafe_context_path.3 b/libselinux/man/man3/selinux_failsafe_context_path.3
new file mode 100644
index 0000000..175a611
--- /dev/null
+++ b/libselinux/man/man3/selinux_failsafe_context_path.3
@@ -0,0 +1 @@
+.so man3/selinux_binary_policy_path.3
diff --git a/libselinux/man/man3/selinux_file_context_path.3 b/libselinux/man/man3/selinux_file_context_path.3
new file mode 100644
index 0000000..175a611
--- /dev/null
+++ b/libselinux/man/man3/selinux_file_context_path.3
@@ -0,0 +1 @@
+.so man3/selinux_binary_policy_path.3
diff --git a/libselinux/man/man3/selinux_getenforcemode.3 b/libselinux/man/man3/selinux_getenforcemode.3
new file mode 100644
index 0000000..a6a753e
--- /dev/null
+++ b/libselinux/man/man3/selinux_getenforcemode.3
@@ -0,0 +1,25 @@
+.TH "selinux_getenforcemode" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation"
+.SH "NAME"
+selinux_getenforcemode \- get the enforcing state of SELinux
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.B int selinux_getenforcemode(int *enforce);
+
+
+.SH "DESCRIPTION"
+.B selinux_getenforcemode
+Reads the contents of the /etc/selinux/config file to determine how the
+system was setup to run SELinux.
+
+Sets the value of enforce to 1 if SELinux should be run in enforcing mode.
+Sets the value of enforce to 0 if SELinux should be run in permissive mode.
+Sets the value of enforce to -1 if SELinux should be disabled.
+.SH "RETURN VALUE"
+On success, zero is returned.
+On failure, -1 is returned.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
+
diff --git a/libselinux/man/man3/selinux_media_context_path.3 b/libselinux/man/man3/selinux_media_context_path.3
new file mode 100644
index 0000000..175a611
--- /dev/null
+++ b/libselinux/man/man3/selinux_media_context_path.3
@@ -0,0 +1 @@
+.so man3/selinux_binary_policy_path.3
diff --git a/libselinux/man/man3/selinux_policy_root.3 b/libselinux/man/man3/selinux_policy_root.3
new file mode 100644
index 0000000..7499c75
--- /dev/null
+++ b/libselinux/man/man3/selinux_policy_root.3
@@ -0,0 +1,20 @@
+.TH "selinux_policy_root" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation"
+.SH "NAME"
+selinux_policy_root \- return the path of the SELinux policy files for this machine.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.B char *selinux_policy_root();
+
+
+.SH "DESCRIPTION"
+.B selinux_policy_root
+Reads the contents of the /etc/selinux/config file to determine which policy files should be used for this machine.
+.SH "RETURN VALUE"
+On success, returns a directory path containing the SELinux policy files.
+On failure, NULL is returned.
+
+.SH "SEE ALSO"
+.BR selinux "(8)"
+
+
diff --git a/libselinux/man/man3/selinux_removable_context_path.3 b/libselinux/man/man3/selinux_removable_context_path.3
new file mode 100644
index 0000000..175a611
--- /dev/null
+++ b/libselinux/man/man3/selinux_removable_context_path.3
@@ -0,0 +1 @@
+.so man3/selinux_binary_policy_path.3
diff --git a/libselinux/man/man3/selinux_securetty_types_path.3 b/libselinux/man/man3/selinux_securetty_types_path.3
new file mode 100644
index 0000000..175a611
--- /dev/null
+++ b/libselinux/man/man3/selinux_securetty_types_path.3
@@ -0,0 +1 @@
+.so man3/selinux_binary_policy_path.3
diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
new file mode 100644
index 0000000..6d6a723
--- /dev/null
+++ b/libselinux/man/man3/selinux_set_callback.3
@@ -0,0 +1,95 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
+.TH "selinux_set_callback" "3" "20 Jun 2007" "" "SELinux API documentation"
+.SH "NAME"
+selinux_set_callback \- userspace SELinux callback facilities.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "void selinux_set_callback(int " type ", union selinux_callback " callback ");"
+
+.SH "DESCRIPTION"
+.B selinux_set_callback
+sets the callback indicated by
+.I type
+to the value of
+.IR callback ,
+which should be passed as a function pointer cast to type
+.B union
+.BR selinux_callback .
+
+All callback functions should return a negative value with
+.I errno
+set appropriately on error.
+
+The available values for
+.I type
+are:
+.TP
+.B SELINUX_CB_LOG
+.BI "int (*" func_log ") (int " type ", const char *" fmt ", ...);"
+
+This callback is used for logging and should process the
+.BR printf (3)
+style
+.I fmt
+string and arguments as appropriate. The
+.I type
+argument indicates the type of message and will be set to one of the following:
+
+.B SELINUX_ERROR
+
+.B SELINUX_WARNING
+
+.B SELINUX_INFO
+
+.B SELINUX_AVC
+
+.TP
+.B SELINUX_CB_AUDIT
+.BI "int (*" func_audit ") (void *" auditdata ", security_class_t " cls ,
+.in +\w'int (*func_audit) ('u
+.BI "char *" msgbuf ", size_t " msgbufsize ");"
+.in
+
+This callback is used for supplemental auditing in AVC messages. The
+.I auditdata
+and
+.I cls
+arguments are the values passed to
+.BR avc_has_perm (3).
+A human-readable interpretation should be printed to
+.I msgbuf
+using no more than
+.I msgbufsize
+characters.
+
+.TP
+.B SELINUX_CB_VALIDATE
+.BI "int (*" func_validate ") (security_context_t *" ctx ");"
+
+This callback is used for context validation. The callback may optionally modify the input context by setting the target of the
+.I ctx
+pointer to a new context. In this case, the old value should be freed with
+.BR freecon (3).
+The value of
+.I errno
+should be set to
+.B EINVAL
+to indicate an invalid context.
+
+.SH "RETURN VALUE"
+None.
+
+.SH "ERRORS"
+None.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR selabel_open (3),
+.BR avc_init (3),
+.BR selinux (8)
+
diff --git a/libselinux/man/man3/selinux_set_mapping.3 b/libselinux/man/man3/selinux_set_mapping.3
new file mode 100644
index 0000000..7ac069a
--- /dev/null
+++ b/libselinux/man/man3/selinux_set_mapping.3
@@ -0,0 +1,87 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2008
+.TH "selinux_set_mapping" "3" "12 Jun 2008" "" "SELinux API documentation"
+.SH "NAME"
+selinux_set_mapping \- establish dynamic object class and permission mapping.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.nf
+struct security_class_mapping {
+ const char *name;
+ const char *perms[];
+};
+.fi
+.sp
+.BI "int selinux_set_mapping(struct security_class_mapping *" map ");"
+
+.SH "DESCRIPTION"
+.B selinux_set_mapping
+establishes a mapping from a user-provided ordering of object classes and permissions to the numbers actually used by the loaded system policy. Use of this function is highly preferred over the generated constants in the libselinux header files, as this method allows the policy's class and permission values to change over time.
+
+After the mapping is established, all libselinux functions that operate on class and permission values take the user-provided numbers, which are determined as follows:
+
+The
+.I map
+argument consists of an array of
+.B security_class_mapping
+structures, which must be terminated by a structure having a NULL name field. Except for this last structure, the
+.I name
+field should refer to the string name of an object class, and the corresponding
+.I perms
+field should refer to an array of permission bit names terminated by a NULL string.
+
+The object classes named in the mapping and the bit indexes of each set of permission bits named in the mapping are numbered in order starting from 1. These numbers are the values that should be passed to subsequent libselinux calls.
+
+.SH "RETURN VALUE"
+Zero is returned on success. On error, -1 is returned and
+.I errno
+is set appropriately.
+
+.SH "ERRORS"
+.TP
+.B EINVAL
+One of the class or permission names requested in the mapping is not present in the loaded policy.
+.TP
+.B ENOMEM
+An attempt to allocate memory failed.
+
+.SH "EXAMPLE"
+.RS
+.ta 4n 10n
+.nf
+struct security_class_mapping map[] = {
+ { "file", { "create", "unlink", "read", "write", NULL } },
+ { "socket", { "bind", NULL } },
+ { "process", { "signal", NULL } },
+ { NULL }
+};
+
+if (selinux_set_mapping(map) < 0)
+ exit(1);
+.fi
+.ta
+.RE
+
+In this example, after the call has succeeded, classes
+.BR file ,
+.BR socket ,
+and
+.B process
+will be identified by 1, 2 and 3, respectively. Permissions
+.IR create ,
+.IR unlink ,
+.IR read ,
+and
+.I write
+(for the
+.B file
+class) will be identified by 1, 2, 4, and 8 respectively. Classes and permissions not listed in the mapping cannot be used.
+
+.SH "AUTHOR"
+Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+.SH "SEE ALSO"
+.BR avc_open (8),
+.BR selinux (8)
diff --git a/libselinux/man/man3/selinux_user_contexts_path.3 b/libselinux/man/man3/selinux_user_contexts_path.3
new file mode 100644
index 0000000..175a611
--- /dev/null
+++ b/libselinux/man/man3/selinux_user_contexts_path.3
@@ -0,0 +1 @@
+.so man3/selinux_binary_policy_path.3
diff --git a/libselinux/man/man3/set_matchpathcon_printf.3 b/libselinux/man/man3/set_matchpathcon_printf.3
new file mode 100644
index 0000000..cd5df2e
--- /dev/null
+++ b/libselinux/man/man3/set_matchpathcon_printf.3
@@ -0,0 +1 @@
+.so man3/matchpathcon.3
diff --git a/libselinux/man/man3/setcon.3 b/libselinux/man/man3/setcon.3
new file mode 100644
index 0000000..1210b5a
--- /dev/null
+++ b/libselinux/man/man3/setcon.3
@@ -0,0 +1 @@
+.so man3/getcon.3
diff --git a/libselinux/man/man3/setexeccon.3 b/libselinux/man/man3/setexeccon.3
new file mode 100644
index 0000000..b2e6ab8
--- /dev/null
+++ b/libselinux/man/man3/setexeccon.3
@@ -0,0 +1 @@
+.so man3/getexeccon.3
diff --git a/libselinux/man/man3/setfilecon.3 b/libselinux/man/man3/setfilecon.3
new file mode 100644
index 0000000..18030cd
--- /dev/null
+++ b/libselinux/man/man3/setfilecon.3
@@ -0,0 +1,41 @@
+.TH "setfilecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.SH "NAME"
+setfilecon, fsetfilecon, lsetfilecon \- set SELinux security context of a file
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int setfilecon(const char *" path ", security_context_t "con );
+
+.BI "int lsetfilecon(const char *" path ", security_context_t "con );
+
+.BI "int fsetfilecon(int "fd ", security_context_t "con );
+
+.SH "DESCRIPTION"
+.B setfilecon
+sets the security context of the file system object.
+
+.B lsetfilecon
+is identical to setfilecon, except in the case of a symbolic link, where the
+link itself has it's context set, not the file that it refers to.
+
+.B fsetfilecon
+is identical to setfilecon, only the open file pointed to by filedes (as
+returned by open(2)) has it's context set in place of path.
+
+.SH "RETURN VALUE"
+On success, zero is returned. On failure, -1 is returned and errno is
+set appropriately.
+
+If there is insufficient space remaining to store the extended
+attribute, errno is set to either ENOSPC, or EDQUOT if quota enforce-
+ment was the cause.
+
+If extended attributes are not supported by the filesystem, or are dis-
+abled, errno is set to ENOTSUP.
+
+The errors documented for the stat(2) system call are also applicable
+here.
+
+.SH "SEE ALSO"
+.BR selinux "(3), " freecon "(3), " getfilecon "(3), " setfscreatecon "(3)"
diff --git a/libselinux/man/man3/setfscreatecon.3 b/libselinux/man/man3/setfscreatecon.3
new file mode 100644
index 0000000..21aeebd
--- /dev/null
+++ b/libselinux/man/man3/setfscreatecon.3
@@ -0,0 +1 @@
+.so man3/getfscreatecon.3
diff --git a/libselinux/man/man3/sidget.3 b/libselinux/man/man3/sidget.3
new file mode 100644
index 0000000..d7c3e66
--- /dev/null
+++ b/libselinux/man/man3/sidget.3
@@ -0,0 +1 @@
+.so man3/avc_context_to_sid.3
diff --git a/libselinux/man/man3/sidput.3 b/libselinux/man/man3/sidput.3
new file mode 100644
index 0000000..d7c3e66
--- /dev/null
+++ b/libselinux/man/man3/sidput.3
@@ -0,0 +1 @@
+.so man3/avc_context_to_sid.3
diff --git a/libselinux/man/man3/string_to_av_perm.3 b/libselinux/man/man3/string_to_av_perm.3
new file mode 100644
index 0000000..bda9daf
--- /dev/null
+++ b/libselinux/man/man3/string_to_av_perm.3
@@ -0,0 +1 @@
+.so man3/security_class_to_string.3
diff --git a/libselinux/man/man3/string_to_security_class.3 b/libselinux/man/man3/string_to_security_class.3
new file mode 100644
index 0000000..bda9daf
--- /dev/null
+++ b/libselinux/man/man3/string_to_security_class.3
@@ -0,0 +1 @@
+.so man3/security_class_to_string.3
diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
new file mode 100644
index 0000000..6cce99e
--- /dev/null
+++ b/libselinux/man/man5/selabel_file.5
@@ -0,0 +1,48 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
+.TH "selabel_file" "5" "18 Jun 2007" "" "SELinux API documentation"
+.SH "NAME"
+selabel_file \- userspace SELinux labeling interface: file contexts backend.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/label.h>
+.sp
+.BI "int selabel_lookup(struct selabel_handle *" hnd ,
+.in +\w'int selabel_lookup('u
+.BI "security_context_t *" context ,
+
+.BI "const char *" path ", int " mode ");"
+
+.SH "DESCRIPTION"
+The file contexts backend maps from pathname/mode combinations into security contexts. It is used to find the appropriate context for each file when relabeling a file system.
+
+The
+.I path
+argument should be set to the full pathname of the file whose assigned context is being checked. The
+.I mode
+argument should be set to the mode bits of the file, as determined by
+.BR lstat (2).
+
+.SH "OPTIONS"
+In addition to the global options described in
+.BR selabel_open (3),
+this backend recognizes the following options:
+
+.TP
+.B SELABEL_OPT_PATH
+A non-null value for this option specifies a path to a file that will be opened in lieu of the standard file contexts file. This value is also used as the base name for determining the names of local customization files.
+.TP
+.B SELABEL_OPT_BASEONLY
+A non-null value for this option indicates that any local customizations to the file contexts mapping should be ignored.
+.TP
+.B SELABEL_OPT_SUBSET
+A non-null value for this option is interpreted as a path prefix, for example "/etc". Only file context specifications starting with the given prefix are loaded. This may increase lookup performance, however any attempt to look up a path not starting with the given prefix will fail.
+
+.SH "SEE ALSO"
+.BR selabel_open (3),
+.BR selabel_lookup (3),
+.BR selabel_stats (3),
+.BR selinux (8)
+
diff --git a/libselinux/man/man5/selabel_media.5 b/libselinux/man/man5/selabel_media.5
new file mode 100644
index 0000000..796260f
--- /dev/null
+++ b/libselinux/man/man5/selabel_media.5
@@ -0,0 +1,37 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
+.TH "selabel_media" "5" "18 Jun 2007" "" "SELinux API documentation"
+.SH "NAME"
+selabel_media \- userspace SELinux labeling interface: media contexts backend.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/label.h>
+.sp
+.BI "int selabel_lookup(struct selabel_handle *" hnd ,
+.in +\w'int selabel_lookup('u
+.BI "security_context_t *" context ,
+
+.BI "const char *" device_name ", int " unused ");"
+
+.SH "DESCRIPTION"
+The media contexts backend maps from media device names such as "cdrom" or "floppy" into security contexts. It is used to find the appropriate context for establishing context mounts on these devices.
+
+The integer lookup argument is currently unused and should be set to zero.
+
+.SH "OPTIONS"
+In addition to the global options described in
+.BR selabel_open (3),
+this backend recognizes the following options:
+
+.TP
+.B SELABEL_OPT_PATH
+A non-null value for this option specifies a path to a file that will be opened in lieu of the standard media contexts file.
+
+.SH "SEE ALSO"
+.BR selabel_open (3),
+.BR selabel_lookup (3),
+.BR selabel_stats (3),
+.BR selinux (8)
+
diff --git a/libselinux/man/man5/selabel_x.5 b/libselinux/man/man5/selabel_x.5
new file mode 100644
index 0000000..1591c09
--- /dev/null
+++ b/libselinux/man/man5/selabel_x.5
@@ -0,0 +1,81 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007
+.TH "selabel_x" "5" "18 Jun 2007" "" "SELinux API documentation"
+.SH "NAME"
+selabel_x \- userspace SELinux labeling interface: X Window System contexts backend.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/label.h>
+.sp
+.BI "int selabel_lookup(struct selabel_handle *" hnd ,
+.in +\w'int selabel_lookup('u
+.BI "security_context_t *" context ,
+
+.BI "const char *" object_name ", int " object_type ");"
+
+.SH "DESCRIPTION"
+The X contexts backend maps from X Window System object names into security contexts. It is used to find the appropriate context for X Window System objects whose significance and/or usage semantics are determined primarily by name. This backend is also used to determine the default context for labeling remotely connected X clients.
+
+The
+.I object_type
+argument should be set to one of the following values:
+.TP
+.B SELABEL_X_PROP
+The
+.I object_name
+argument specifies the name of a window property, such as "WM_NAME".
+.TP
+.B SELABEL_X_SELN
+The
+.I object_name
+argument specifies the name of a selection, such as "PRIMARY".
+.TP
+.B SELABEL_X_EXT
+The
+.I object_name
+argument specifies the name of a protocol extension, such as "RENDER".
+.TP
+.B SELABEL_X_EVENT
+The
+.I object_name
+argument specifies the name of an event type, such as "X11:ButtonPress".
+.TP
+.B SELABEL_X_CLIENT
+The
+.I object_name
+argument is ignored and should be set to NULL. The default context for labeling remote X clients is returned.
+.TP
+.B SELABEL_X_POLYPROP
+Like
+.BR SELABEL_X_PROP ,
+but checks if the property was marked as being polyinstantiated. See
+.B NOTES
+below.
+.TP
+.B SELABEL_X_POLYSELN
+Like
+.BR SELABEL_X_SELN ,
+but checks if the selection was marked as being polyinstantiated. See
+.B NOTES
+below.
+
+.SH "OPTIONS"
+In addition to the global options described in
+.BR selabel_open (3),
+this backend recognizes the following options:
+
+.TP
+.B SELABEL_OPT_PATH
+A non-null value for this option specifies a path to a file that will be opened in lieu of the standard X contexts file.
+
+.SH "NOTES"
+Properties and selections are marked as either polyinstantiated or not. For these name types, the "POLY" option searches only the names marked as being polyinstantiated, while the other option searches only the names marked as not being polyinstantiated. Users of the interface should check both mappings, optionally taking action based on the result (e.g. polyinstantiating the object).
+
+.SH "SEE ALSO"
+.BR selabel_open (3),
+.BR selabel_lookup (3),
+.BR selabel_stats (3),
+.BR selinux (8)
+
diff --git a/libselinux/man/man8/avcstat.8 b/libselinux/man/man8/avcstat.8
new file mode 100644
index 0000000..1035331
--- /dev/null
+++ b/libselinux/man/man8/avcstat.8
@@ -0,0 +1,31 @@
+.TH "avcstat" "8" "18 Nov 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+avcstat \- Display SELinux AVC statistics
+
+.SH "SYNOPSIS"
+.B avcstat
+.I [-c] [-f status_file] [interval]
+
+.SH "DESCRIPTION"
+.B avcstat
+
+Display SELinux AVC statistics. If the interval parameter is specified, the
+program will loop, displaying updated statistics every 'interval' seconds.
+Relative values are displayed by default.
+
+.SH OPTIONS
+.TP
+.B \-c
+Display the cumulative values.
+
+.TP
+.B \-f
+Specifies the location of the AVC statistics file, defaulting to '/selinux/avc/cache_stats'.
+
+.SH "SEE ALSO"
+selinux(8)
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+The program was written by James Morris <jmorris@redhat.com>.
+
diff --git a/libselinux/man/man8/booleans.8 b/libselinux/man/man8/booleans.8
new file mode 100644
index 0000000..89c7654
--- /dev/null
+++ b/libselinux/man/man8/booleans.8
@@ -0,0 +1,49 @@
+.TH "booleans" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+booleans \- Policy booleans enable runtime customization of SELinux policy.
+
+.SH "DESCRIPTION"
+This manual page describes SELinux policy booleans.
+.BR
+
+The SELinux policy can include conditional rules that are enabled or
+disabled based on the current values of a set of policy booleans.
+These policy booleans allow runtime modification of the security
+policy without having to load a new policy.
+
+For example, the boolean httpd_enable_cgi allows the httpd daemon to
+run cgi scripts if it is enabled. If the administrator does not want
+to allow execution of cgi scripts, he can simply disable this boolean
+value.
+
+The policy defines a default value for each boolean, typically false.
+These default values can be overridden via local settings created via the
+.B setsebool(8)
+utility, using -P to make the setting persistent across reboots.
+The
+.B system-config-securitylevel
+tool provides a graphical interface for altering
+the settings. The
+.B load_policy(8)
+program will preserve
+current boolean settings upon a policy reload by default, or can
+optionally reset booleans to the boot-time defaults via the -b option.
+
+Boolean values can be listed by using the
+.B getsebool(8)
+utility and passing it the -a option.
+
+Boolean values can also be changed at runtime via the
+.B setsebool(8)
+utility or the
+.B togglesebool
+utility. By default, these utilities only change the
+current boolean value and do not affect the persistent settings,
+unless the -P option is used to setsebool.
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+The SELinux conditional policy support was developed by Tresys Technology.
+
+.SH "SEE ALSO"
+getsebool(8), setsebool(8), selinux(8), togglesebool(8)
diff --git a/libselinux/man/man8/getenforce.8 b/libselinux/man/man8/getenforce.8
new file mode 100644
index 0000000..8dc63c8
--- /dev/null
+++ b/libselinux/man/man8/getenforce.8
@@ -0,0 +1,15 @@
+.TH "getenforce" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+getenforce \- get the current mode of SELinux
+.SH "SYNOPSIS"
+.B getenforce
+
+.SH "DESCRIPTION"
+.B getenforce
+reports whether SELinux is enforcing, permissive, or disabled.
+
+.SH AUTHOR
+Dan Walsh, <dwalsh@redhat.com>
+
+.SH "SEE ALSO"
+selinux(8), setenforce(8), selinuxenabled(8)
diff --git a/libselinux/man/man8/getsebool.8 b/libselinux/man/man8/getsebool.8
new file mode 100644
index 0000000..a4200ee
--- /dev/null
+++ b/libselinux/man/man8/getsebool.8
@@ -0,0 +1,35 @@
+.TH "getsebool" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+getsebool \- get SELinux boolean value(s)
+
+.SH "SYNOPSIS"
+.B getsebool
+.I "[-a] [boolean]"
+
+.SH "DESCRIPTION"
+.B getsebool
+reports where a particular SELinux boolean or
+all SELinux booleans are on or off
+In certain situations a boolean can be in one state with a pending
+change to the other state. getsebool will report this as a pending change.
+The pending value indicates
+the value that will be applied upon the next boolean commit.
+
+The setting of boolean values occurs in two stages; first the pending
+value is changed, then the booleans are committed, causing their
+active values to become their pending values. This allows a group of
+booleans to be changed in a single transaction, by setting all of
+their pending values as desired and then committing once.
+
+.SH OPTIONS
+.TP
+.B \-a
+Show all SELinux booleans.
+
+.SH "SEE ALSO"
+selinux(8), setsebool(8), booleans(8)
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+The program was written by Tresys Technology.
+
diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8
new file mode 100644
index 0000000..c1b00c0
--- /dev/null
+++ b/libselinux/man/man8/matchpathcon.8
@@ -0,0 +1,37 @@
+.TH "matchpathcon" "8" "21 April 2005" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+matchpathcon \- get the default SELinux security context for the specified path from the file contexts configuration.
+
+.SH "SYNOPSIS"
+.B matchpathcon [-V] [-N] [-n] [-f file_contexts_file ] [-p prefix ] filepath...
+.SH "DESCRIPTION"
+.B matchpathcon
+queries the system policy and outputs the default security context associated with the filepath.
+
+Note: Identical paths can have different security contexts, depending on the file type. (regular file, directory, link file, char file ...)
+
+.B matchpathcon
+will also take the file type into consideration in determining the default security context if the file exists. If the file does not exist, no file type matching will occur.
+
+.SH OPTIONS
+.B \-n
+Do not display path.
+
+.B \-N
+Do not use translations.
+
+.B \-f file_context_file
+Use alternate file_context file
+
+.B \-p prefix
+Use prefix to speed translations
+
+.B \-V
+Verify file context on disk matches defaults
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+.BR selinux "(8), "
+.BR matchpathcon "(3), "
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
new file mode 100644
index 0000000..5caa592
--- /dev/null
+++ b/libselinux/man/man8/selinux.8
@@ -0,0 +1,82 @@
+.TH "selinux" "8" "29 Apr 2005" "dwalsh@redhat.com" "SELinux Command Line documentation"
+
+.SH "NAME"
+selinux \- NSA Security-Enhanced Linux (SELinux)
+
+.SH "DESCRIPTION"
+
+NSA Security-Enhanced Linux (SELinux) is an implementation of a
+flexible mandatory access control architecture in the Linux operating
+system. The SELinux architecture provides general support for the
+enforcement of many kinds of mandatory access control policies,
+including those based on the concepts of Type Enforcement®, Role-
+Based Access Control, and Multi-Level Security. Background
+information and technical documentation about SELinux can be found at
+http://www.nsa.gov/selinux.
+
+The
+.I /etc/selinux/config
+configuration file controls whether SELinux is
+enabled or disabled, and if enabled, whether SELinux operates in
+permissive mode or enforcing mode. The
+.B SELINUX
+variable may be set to
+any one of disabled, permissive, or enforcing to select one of these
+options. The disabled option completely disables the SELinux kernel
+and application code, leaving the system running without any SELinux
+protection. The permissive option enables the SELinux code, but
+causes it to operate in a mode where accesses that would be denied by
+policy are permitted but audited. The enforcing option enables the
+SELinux code and causes it to enforce access denials as well as
+auditing them. Permissive mode may yield a different set of denials
+than enforcing mode, both because enforcing mode will prevent an
+operation from proceeding past the first denial and because some
+application code will fall back to a less privileged mode of operation
+if denied access.
+
+The
+.I /etc/selinux/config
+configuration file also controls what policy
+is active on the system. SELinux allows for multiple policies to be
+installed on the system, but only one policy may be active at any
+given time. At present, two kinds of SELinux policy exist: targeted
+and strict. The targeted policy is designed as a policy where most
+processes operate without restrictions, and only specific services are
+placed into distinct security domains that are confined by the policy.
+For example, the user would run in a completely unconfined domain
+while the named daemon or apache daemon would run in a specific domain
+tailored to its operation. The strict policy is designed as a policy
+where all processes are partitioned into fine-grained security domains
+and confined by policy. It is anticipated in the future that other
+policies will be created (Multi-Level Security for example). You can
+define which policy you will run by setting the
+.B SELINUXTYPE
+environment variable within
+.I /etc/selinux/config.
+The corresponding
+policy configuration for each such policy must be installed in the
+/etc/selinux/SELINUXTYPE/ directories.
+
+A given SELinux policy can be customized further based on a set of
+compile-time tunable options and a set of runtime policy booleans.
+.B system-config-securitylevel
+allows customization of these booleans and tunables.
+
+Many domains that are protected by SELinux also include selinux man pages explainging how to customize their policy.
+
+.SH FILE LABELING
+
+All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system.
+Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non selinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.
+
+The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-securitylevel, also has this capability. The restorcon/fixfiles commands are also available for relabeling files.
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8), setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)
+
+
+.SH FILES
+/etc/selinux/config
diff --git a/libselinux/man/man8/selinuxenabled.8 b/libselinux/man/man8/selinuxenabled.8
new file mode 100644
index 0000000..b25431f
--- /dev/null
+++ b/libselinux/man/man8/selinuxenabled.8
@@ -0,0 +1,16 @@
+.TH "selinuxenabled" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxenabled \- tool to be used within shell scripts to determine if selinux is enabled
+.SH "SYNOPSIS"
+.B selinuxenabled
+
+.SH "DESCRIPTION"
+.B selinuxenabled
+Indicates whether SELinux is enabled or disabled. It exits with status 0
+if SELinux is enabled and 1 if it is not enabled.
+
+.SH AUTHOR
+Dan Walsh, <dwalsh@redhat.com>
+
+.SH "SEE ALSO"
+selinux(8), setenforce(8), getenforce(8)
diff --git a/libselinux/man/man8/setenforce.8 b/libselinux/man/man8/setenforce.8
new file mode 100644
index 0000000..8a010d6
--- /dev/null
+++ b/libselinux/man/man8/setenforce.8
@@ -0,0 +1,23 @@
+.TH "setenforce" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+setenforce \- modify the mode SELinux is running in.
+.SH "SYNOPSIS"
+.B setenforce [ Enforcing | Permissive | 1 | 0 ]
+
+.SH "DESCRIPTION"
+Use Enforcing or 1 to put SELinux in enforcing mode.
+Use Permissive or 0 to put SELinux in permissive mode.
+You need to modify
+.I /etc/grub.conf
+or
+.I /etc/selinux/config
+to disable SELinux.
+
+.SH AUTHOR
+Dan Walsh, <dwalsh@redhat.com>
+
+.SH "SEE ALSO"
+selinux(8), getenforce(8), selinuxenabled(8)
+
+.SH FILES
+/etc/grub.conf, /etc/selinux/config
diff --git a/libselinux/man/man8/togglesebool.8 b/libselinux/man/man8/togglesebool.8
new file mode 100644
index 0000000..ae21175
--- /dev/null
+++ b/libselinux/man/man8/togglesebool.8
@@ -0,0 +1,17 @@
+.TH "togglesebool" "1" "26 Oct 2004" "sgrubb@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+togglesebool \- flip the current value of a SELinux boolean
+.SH "SYNOPSIS"
+.B togglesebool boolean...
+
+.SH "DESCRIPTION"
+.B togglesebool
+flips the current value of a list of booleans. If the value is currently a 1,
+then it will be changed to a 0 and vice versa. Only the "in memory" values are
+changed; the boot-time settings are unaffected.
+
+.SH AUTHOR
+This man page was written by Steve Grubb <sgrubb@redhat.com>
+
+.SH "SEE ALSO"
+selinux(8), booleans(8), getsebool(8), setsebool(8)