logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

sepolicy-generate - Generate an initial SELinux policy module template.

Author

       This man page was written by Daniel Walsh <dwalsh@redhat.com>

Description

       Use sepolicygenerate to generate an SELinux policy Module.

       sepolicygenerate will create 5 files.

       When  specifying  a  confinedapplication  you  must  specify a path. sepolicygenerate will use the rpm
       payload of the application along with nm-DAPPLICATION to help it generate types and  policy  rules  for
       your policy files.

       NAME.te
       This file can be used to define all the types enforcement rules for a particular domain.

       Note:  Policy generated by sepolicygenerate will automatically add a permissiveDOMAIN to your .te file.
       When you are satisfied that your policy works, you need to remove the permissive line from the  .te  file
       to run your domain in enforcing mode.

       NAME.if
       This  file  defines  the  interfaces  for the types generated in the .te file, which can be used by other
       policy domains.

       NAME.fc
       This file defines the default file context for the system, it takes the file types  created  in  the  .te
       file  and  associates file paths to the types.  Tools like restorecon and RPM will use these paths to put
       down labels.

       NAME_selinux.spec
       This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the
       labeling. The spec file also installs the interface file and a man page describing the  policy.  You  can
       use sepolicymanpage-dNAME to generate the man page.

       NAME.sh
       This  is a helper shell script to compile, install and fix the labeling on your test system. It will also
       generate a man page based on the installed policy, and compile and build an RPM suitable to be  installed
       on other machines.

Example

>sepolicygenerate--init/usr/sbin/rwhod
       Generating Policy for /usr/sbin/rwhod named rwhod
       Created the following files:
       rwhod.te # Type Enforcement file
       rwhod.if # Interface file
       rwhod.fc # File Contexts file
       rwhod_selinux.spec # Spec file
       rwhod.sh # Setup Script

Name

       sepolicy-generate - Generate an initial SELinux policy module template.

Options

-h,--help
              Display help message

       -d,--domain
              Enter domain type(s) which you will be extending

       -n,--name
              Specify alternate name of policy. The policy will default to the executable or name specified

       -p,--path
              Specify the directory to store the created policy files. (Default to current working directory )

       optional arguments:

       -r,--role
              Enter role(s) to which this admin user will transition

       -t,--type
              Enter type(s) for which you will generate new definition and rule(s)

       -u,--user
              SELinux user(s) which will transition to this domain

       -w,--writepath
              Path(s) which the confined processes need to write to

       -a,--admin
              Domain(s) which the confined admin will administrate

       --admin_user
              Generate Policy for Administrator Login User Role

       --application
              Generate Policy for User Application

       --cgi  Generate Policy for Web Application/Script (CGI)

       --confined_admin
              Generate Policy for Confined Root Administrator Role

       --customize
              Generate Policy for Existing Domain Type

       --dbus Generate Policy for DBUS System Daemon

       --desktop_user
              Generate Policy for Desktop Login User Role

       --inetd
              Generate Policy for Internet Services Daemon

       --init Generate Policy for Standard Init Daemon (Default)

       --newtype
              Generate new policy for new types to add to an existing policy

       --sandbox
              Generate Policy for Sandbox

       --term_user
              Generate Policy for Minimal Terminal Login User Role

       --x_user
              Generate Policy for Minimal X Windows Login User Role

See Also

sepolicy(8), selinux(8)

                                                    20121005                                sepolicy-generate(8)

Synopsis

       Common options

       sepolicygenerate[-h][-pPATH]

       Confined Applications

       sepolicygenerate--application[-nNAME][-uUSER]command[-wWRITE_PATH]sepolicygenerate--cgi[-nNAME]command[-wWRITE_PATH]sepolicygenerate--dbus[-nNAME]command[-wWRITE_PATH]sepolicygenerate--inetd[-nNAME]command[-wWRITE_PATH]sepolicygenerate--init[-nNAME]command[-wWRITE_PATH]

       Confined Users

       sepolicygenerate--admin_user[-rTRANSITION_ROLE]-nNAMEsepolicygenerate--confined_admin-nNAME[-aADMIN_DOMAIN][-uUSER][-nNAME][-wWRITE_PATH]sepolicygenerate--desktop_user-nNAME[-wWRITE_PATH]sepolicygenerate--term_user-nNAME[-wWRITE_PATH]sepolicygenerate--x_user-nNAME[-wWRITE_PATH]

       Miscellaneous Policy

       sepolicygenerate--customize-dDOMAIN-nNAME[-aADMIN_DOMAIN]sepolicygenerate--newtype-ttype-nNAMEsepolicygenerate--sandbox-nNAME

See Also