1sepolicy-generate(8)                                      sepolicy-generate(8)
2
3
4

NAME

6       sepolicy-generate - Generate an initial SELinux policy module template.
7
8

SYNOPSIS

10       Common options
11
12       sepolicy generate [-h ] [-p PATH]
13
14
15       Confined Applications
16
17       sepolicy  generate  --application  [-n  NAME]  [-u  USER  ]command  [-w
18       WRITE_PATH ]
19       sepolicy generate --cgi [-n NAME] command [-w WRITE_PATH ]
20       sepolicy generate --dbus [-n NAME] command [-w WRITE_PATH ]
21       sepolicy generate --inetd [-n NAME] command [-w WRITE_PATH ]
22       sepolicy generate --init [-n NAME] command [-w WRITE_PATH ]
23
24       Confined Users
25
26       sepolicy generate --admin_user [-r TRANSITION_ROLE] -n NAME
27       sepolicy generate --confined_admin -n NAME [-a ADMIN_DOMAIN] [-u  USER]
28       [-n NAME] [-w WRITE_PATH]
29       sepolicy generate --desktop_user -n NAME [-w WRITE_PATH]
30       sepolicy generate --term_user -n NAME [-w WRITE_PATH]
31       sepolicy generate --x_user -n NAME [-w WRITE_PATH]
32
33       Miscellaneous Policy
34
35       sepolicy generate --customize -d DOMAIN -n NAME [-a ADMIN_DOMAIN]
36       sepolicy generate --newtype -t type -n NAME
37       sepolicy generate --sandbox -n NAME
38
39

DESCRIPTION

41       Use sepolicy generate to generate an SELinux policy Module.
42
43       sepolicy generate will create 5 files.
44
45       When  specifying a confined application you must specify a path. sepol‐
46       icy generate will use the rpm payload of the application along with  nm
47       -D APPLICATION to help it generate types and policy rules for your pol‐
48       icy files.
49
50       NAME.te
51       This file can be used to define all the types enforcement rules  for  a
52       particular domain.
53
54       Note:  Policy  generated  by sepolicy generate will automatically add a
55       permissive DOMAIN to your .te file. When you are  satisfied  that  your
56       policy  works, you need to remove the permissive line from the .te file
57       to run your domain in enforcing mode.
58
59       NAME.if
60       This file defines the interfaces for the types  generated  in  the  .te
61       file, which can be used by other policy domains.
62
63       NAME.fc
64       This file defines the default file context for the system, it takes the
65       file types created in the .te file and associates  file  paths  to  the
66       types.   Tools like restorecon and RPM will use these paths to put down
67       labels.
68
69       NAME_selinux.spec
70       This file is an RPM SPEC file that can be used to install  the  SELinux
71       policy  on  to  machines and setup the labeling. The spec file also in‐
72       stalls the interface file and a man page describing the policy. You can
73       use sepolicy manpage -d NAME to generate the man page.
74
75       NAME.sh
76       This  is a helper shell script to compile, install and fix the labeling
77       on your test system. It will also generate a man page based on the  in‐
78       stalled  policy,  and compile and build an RPM suitable to be installed
79       on other machines.
80
81

OPTIONS

83       -h, --help
84              Display help message
85
86       -d, --domain
87              Enter domain type(s) which you will be extending
88
89       -n, --name
90              Specify alternate name of policy. The policy will default to the
91              executable or name specified
92
93       -p, --path
94              Specify  the  directory  to store the created policy files. (De‐
95              fault to current working directory )
96
97       optional arguments:
98
99       -r, --role
100              Enter role(s) to which this admin user will transition
101
102       -t, --type
103              Enter type(s) for which you will  generate  new  definition  and
104              rule(s)
105
106       -u, --user
107              SELinux user(s) which will transition to this domain
108
109       -w, --writepath
110              Path(s) which the confined processes need to write to
111
112       -a, --admin
113              Domain(s) which the confined admin will administrate
114
115       --admin_user
116              Generate Policy for Administrator Login User Role
117
118       --application
119              Generate Policy for User Application
120
121       --cgi  Generate Policy for Web Application/Script (CGI)
122
123       --confined_admin
124              Generate Policy for Confined Root Administrator Role
125
126       --customize
127              Generate Policy for Existing Domain Type
128
129       --dbus Generate Policy for DBUS System Daemon
130
131       --desktop_user
132              Generate Policy for Desktop Login User Role
133
134       --inetd
135              Generate Policy for Internet Services Daemon
136
137       --init Generate Policy for Standard Init Daemon (Default)
138
139       --newtype
140              Generate new policy for new types to add to an existing policy
141
142       --sandbox
143              Generate Policy for Sandbox
144
145       --term_user
146              Generate Policy for Minimal Terminal Login User Role
147
148       --x_user
149              Generate Policy for Minimal X Windows Login User Role
150
151

EXAMPLE

153       > sepolicy generate --init /usr/sbin/rwhod
154       Generating Policy for /usr/sbin/rwhod named rwhod
155       Created the following files:
156       rwhod.te # Type Enforcement file
157       rwhod.if # Interface file
158       rwhod.fc # File Contexts file
159       rwhod_selinux.spec # Spec file
160       rwhod.sh # Setup Script
161
162

AUTHOR

164       This man page was written by Daniel Walsh <dwalsh@redhat.com>
165
166

SEE ALSO

168       sepolicy(8), selinux(8)
169
170
171
172                                   20121005               sepolicy-generate(8)
Impressum