1sepolicy-generate(8) sepolicy-generate(8)
2
3
4
6 sepolicy-generate - Generate an initial SELinux policy module template.
7
8
10 Common options
11
12 sepolicy generate [-h ] [-p PATH]
13
14
15 Confined Applications
16
17 sepolicy generate --application [-n NAME] [-u USER ]command [-w
18 WRITE_PATH ]
19 sepolicy generate --cgi [-n NAME] command [-w WRITE_PATH ]
20 sepolicy generate --dbus [-n NAME] command [-w WRITE_PATH ]
21 sepolicy generate --inetd [-n NAME] command [-w WRITE_PATH ]
22 sepolicy generate --init [-n NAME] command [-w WRITE_PATH ]
23
24 Confined Users
25
26 sepolicy generate --admin_user [-r TRANSITION_ROLE] -n NAME
27 sepolicy generate --confined_admin -n NAME [-a ADMIN_DOMAIN] [-u USER]
28 [-n NAME] [-w WRITE_PATH]
29 sepolicy generate --desktop_user -n NAME [-w WRITE_PATH]
30 sepolicy generate --term_user -n NAME [-w WRITE_PATH]
31 sepolicy generate --x_user -n NAME [-w WRITE_PATH]
32
33 Miscellaneous Policy
34
35 sepolicy generate --customize -d DOMAIN -n NAME [-a ADMIN_DOMAIN]
36 sepolicy generate --newtype -t type -n NAME
37 sepolicy generate --sandbox -n NAME
38
39
41 Use sepolicy generate to generate an SELinux policy Module.
42
43 sepolicy generate will create 5 files.
44
45 When specifying a confined application you must specify a path. sepol‐
46 icy generate will use the rpm payload of the application along with nm
47 -D APPLICATION to help it generate types and policy rules for your pol‐
48 icy files.
49
50 NAME.te
51 This file can be used to define all the types enforcement rules for a
52 particular domain.
53
54 Note: Policy generated by sepolicy generate will automatically add a
55 permissive DOMAIN to your .te file. When you are satisfied that your
56 policy works, you need to remove the permissive line from the .te file
57 to run your domain in enforcing mode.
58
59 NAME.if
60 This file defines the interfaces for the types generated in the .te
61 file, which can be used by other policy domains.
62
63 NAME.fc
64 This file defines the default file context for the system, it takes the
65 file types created in the .te file and associates file paths to the
66 types. Tools like restorecon and RPM will use these paths to put down
67 labels.
68
69 NAME_selinux.spec
70 This file is an RPM SPEC file that can be used to install the SELinux
71 policy on to machines and setup the labeling. The spec file also in‐
72 stalls the interface file and a man page describing the policy. You can
73 use sepolicy manpage -d NAME to generate the man page.
74
75 NAME.sh
76 This is a helper shell script to compile, install and fix the labeling
77 on your test system. It will also generate a man page based on the in‐
78 stalled policy, and compile and build an RPM suitable to be installed
79 on other machines.
80
81
83 -h, --help
84 Display help message
85
86 -d, --domain
87 Enter domain type(s) which you will be extending
88
89 -n, --name
90 Specify alternate name of policy. The policy will default to the
91 executable or name specified
92
93 -p, --path
94 Specify the directory to store the created policy files. (De‐
95 fault to current working directory )
96
97 optional arguments:
98
99 -r, --role
100 Enter role(s) to which this admin user will transition
101
102 -t, --type
103 Enter type(s) for which you will generate new definition and
104 rule(s)
105
106 -u, --user
107 SELinux user(s) which will transition to this domain
108
109 -w, --writepath
110 Path(s) which the confined processes need to write to
111
112 -a, --admin
113 Domain(s) which the confined admin will administrate
114
115 --admin_user
116 Generate Policy for Administrator Login User Role
117
118 --application
119 Generate Policy for User Application
120
121 --cgi Generate Policy for Web Application/Script (CGI)
122
123 --confined_admin
124 Generate Policy for Confined Root Administrator Role
125
126 --customize
127 Generate Policy for Existing Domain Type
128
129 --dbus Generate Policy for DBUS System Daemon
130
131 --desktop_user
132 Generate Policy for Desktop Login User Role
133
134 --inetd
135 Generate Policy for Internet Services Daemon
136
137 --init Generate Policy for Standard Init Daemon (Default)
138
139 --newtype
140 Generate new policy for new types to add to an existing policy
141
142 --sandbox
143 Generate Policy for Sandbox
144
145 --term_user
146 Generate Policy for Minimal Terminal Login User Role
147
148 --x_user
149 Generate Policy for Minimal X Windows Login User Role
150
151
153 > sepolicy generate --init /usr/sbin/rwhod
154 Generating Policy for /usr/sbin/rwhod named rwhod
155 Created the following files:
156 rwhod.te # Type Enforcement file
157 rwhod.if # Interface file
158 rwhod.fc # File Contexts file
159 rwhod_selinux.spec # Spec file
160 rwhod.sh # Setup Script
161
162
164 This man page was written by Daniel Walsh <dwalsh@redhat.com>
165
166
168 sepolicy(8), selinux(8)
169
170
171
172 20121005 sepolicy-generate(8)