1sepolicy-generate(8)                                      sepolicy-generate(8)
2
3
4

NAME

6       sepolicy-generate - Generate an initial SELinux policy module template.
7
8

SYNOPSIS

10       Common options
11
12       sepolicy generate [-h ] [-p PATH]
13
14
15       Confined Applications
16
17       sepolicy  generate  --application  [-n  NAME]  [-u  USER  ]command  [-w
18       WRITE_PATH ]
19       sepolicy generate --cgi [-n NAME] command [-w WRITE_PATH ]
20       sepolicy generate --dbus [-n NAME] command [-w WRITE_PATH ]
21       sepolicy generate --inetd [-n NAME] command [-w WRITE_PATH ]
22       sepolicy generate --init [-n NAME] command [-w WRITE_PATH ]
23
24       Confined Users
25
26       sepolicy generate --admin_user [-r TRANSITION_ROLE] -n NAME
27       sepolicy generate --confined_admin -n NAME [-a ADMIN_DOMAIN] [-u  USER]
28       [-n NAME] [-w WRITE_PATH]
29       sepolicy generate --desktop_user -n NAME [-w WRITE_PATH]
30       sepolicy generate --term_user -n NAME [-w WRITE_PATH]
31       sepolicy generate --x_user -n NAME [-w WRITE_PATH]
32
33       Miscellaneous Policy
34
35       sepolicy generate --customize -d DOMAIN -n NAME [-a ADMIN_DOMAIN]
36       sepolicy generate --newtype -t type -n NAME
37       sepolicy generate --sandbox -n NAME
38
39

DESCRIPTION

41       Use sepolicy generate to generate an SELinux policy Module.
42
43       sepolicy generate will create 5 files.
44
45       When  specifying a confined application you must specify a path. sepol‐
46       icy generate will use the rpm payload of the application along with  nm
47       -D APPLICATION to help it generate types and policy rules for your pol‐
48       icy files.
49
50       Type Enforcing File NAME.te
51       This file can be used to define all the types rules  for  a  particular
52       domain.
53
54       Note:  Policy  generated  by sepolicy generate will automatically add a
55       permissive DOMAIN to your te file.  When you are  satisfied  that  your
56       policy  works,  you need to remove the permissive line from the te file
57       to run your domain in enforcing mode.
58
59       Interface File NAME.if
60       This file defines the interfaces for the  types  generated  in  the  te
61       file, which can be used by other policy domains.
62
63       File Context NAME.fc
64       This file defines the default file context for the system, it takes the
65       file types created in the te file and  associates  file  paths  to  the
66       types.   Tools like restorecon and RPM will use these paths to put down
67       labels.
68
69       RPM Spec File NAME_selinux.spec
70       This file is an RPM SPEC file that can be used to install  the  SELinux
71       policy  on  to  machines  and  setup  the  labeling. The spec file also
72       installs the interface file and a man page describing the policy.   You
73       can use sepolicy manpage -d NAME to generate the man page.
74
75       Shell File NAME.sh
76       This  is a helper shell script to compile, install and fix the labeling
77       on your test system.  It will also generate a man  page  based  on  the
78       installed policy, and compile and build an RPM suitable to be installed
79       on other machines
80
81       If a generate is possible, this tool will print out all generate  paths
82       from the source domain to the target domain
83
84

OPTIONS

86       -h, --help
87              Display help message
88
89       -d, --domain
90              Enter domain type(s) which you will be extending
91
92       -n, --name
93              Specify alternate name of policy. The policy will default to the
94              executable or name specified
95
96       -p, --path
97              Specify  the  directory  to  store  the  created  policy  files.
98              (Default to current working directory ) optional arguments:
99
100       -r, --role
101              Enter role(s) to which this admin user will transition.
102
103       -t, --type
104              Enter  type(s)  for  which  you will generate new definition and
105              rule(s)
106
107       -u, --user
108              SELinux user(s) which will transition to this domain
109
110       -w, --writepath
111              Path(s) which the confined processes need to write
112
113       -a, --admin
114              Domain(s) which the confined admin will administrate
115
116       --admin_user
117              Generate Policy for Administrator Login User Role
118
119       --application
120              Generate Policy for User Application
121
122       --cgi  Generate Policy for Web Application/Script (CGI)
123
124       --confined_admin
125              Generate Policy for Confined Root Administrator Role
126
127       --customize
128              Generate Policy for Existing Domain Type
129
130       --dbus Generate Policy for DBUS System Daemon
131
132       --desktop_user
133              Generate Policy for Desktop Login User Role
134
135       --inetd
136              Generate Policy for Internet Services Daemon
137
138       --init Generate Policy for Standard Init Daemon (Default)
139
140       --newtype
141              Generate new policy for new types to add to an existing policy.
142
143       --sandbox
144              Generate Policy for Sandbox
145
146       --term_user
147              Generate Policy for Minimal Terminal Login User Role
148
149       --x_user
150              Generate Policy for Minimal X Windows Login User Role
151
152

EXAMPLE

154       > sepolicy generate --init /usr/sbin/rwhod
155       Generating Policy for /usr/sbin/rwhod named rwhod
156       Created the following files:
157       rwhod.te # Type Enforcement file
158       rwhod.if # Interface file
159       rwhod.fc # File Contexts file
160       rwhod_selinux.spec # Spec file
161       rwhod.sh # Setup Script
162
163

AUTHOR

165       This man page was written by Daniel Walsh <dwalsh@redhat.com>
166
167

SEE ALSO

169       sepolicy(8), selinux(8)
170
171
172
173                                   20121005               sepolicy-generate(8)
Impressum