Open Source Software

sepolicy-generate(8)



NAME

   sepolicy-generate - Generate an initial SELinux policy module template.

SYNOPSIS

   Common options

   sepolicy generate [-h ] [-p PATH]

   Confined Applications

   sepolicy generate --application [-n NAME] command [-w WRITE_PATH ]
   sepolicy generate --cgi [-n NAME] command [-w WRITE_PATH ]
   sepolicy generate --dbus [-n NAME] command [-w WRITE_PATH ]
   sepolicy generate --inetd [-n NAME] command [-w WRITE_PATH ]
   sepolicy generate --init [-n NAME] command [-w WRITE_PATH ]

   Confined Users

   sepolicy generate --admin_user [-r TRANSITION_ROLE] -n NAME
   sepolicy  generate --confined_admin -n NAME [-a ADMIN_DOMAIN] [-u USER]
   [-n NAME] [-w WRITE_PATH]
   sepolicy generate --desktop_user -n NAME [-w WRITE_PATH]
   sepolicy generate --term_user -n NAME [-w WRITE_PATH]
   sepolicy generate --x_user -n NAME [-w WRITE_PATH]

   Miscellaneous Policy

   sepolicy generate --customize -d DOMAIN -n NAME [-a ADMIN_DOMAIN]
   sepolicy generate --newtype -t type -n NAME
   sepolicy generate --sandbox -n NAME

DESCRIPTION

   Use sepolicy generate to generate an SELinux policy Module.

   sepolicy generate will create 5 files.

   When specifying  a  confined  application  you  must  specify  a  path.
   sepolicy  generate  will  use  the rpm payload of the application along
   with nm -D APPLICATION to help it generate types and policy  rules  for
   your policy files.

   Type Enforcing File NAME.te
   This  file  can  be used to define all the types rules for a particular
   domain.

   Note: Policy generated by sepolicy generate will  automatically  add  a
   permissive  DOMAIN  to  your te file.  When you are satisfied that your
   policy works, you need to remove the permissive line from the  te  file
   to run your domain in enforcing mode.

   Interface File NAME.if
   This  file  defines  the  interfaces  for the types generated in the te
   file, which can be used by other policy domains.

   File Context NAME.fc
   This file defines the default file context for the system, it takes the
   file  types  created  in  the  te file and associates file paths to the
   types.  Tools like restorecon and RPM will use these paths to put  down
   labels.

   RPM Spec File NAME_selinux.spec
   This  file  is an RPM SPEC file that can be used to install the SELinux
   policy on to machines and  setup  the  labeling.  The  spec  file  also
   installs  the interface file and a man page describing the policy.  You
   can use sepolicy manpage -d NAME to generate the man page.

   Shell File NAME.sh
   This is a helper shell script to compile, install and fix the  labeling
   on  your  test  system.   It will also generate a man page based on the
   installed policy, and compile and build an RPM suitable to be installed
   on other machines

   If  a generate is possible, this tool will print out all generate paths
   from the source domain to the target domain

OPTIONS

   -h, --help
          Display help message

   -d, --domain
          Enter domain type(s) which you will be extending

   -n, --name
          Specify alternate name of policy. The policy will default to the
          executable or name specified

   -p, --path
          Specify  the  directory  to  store  the  created  policy  files.
          (Default to current working directory ) optional arguments:

   -r, --role
          Enter role(s) to which this admin user will transition.

   -t, --type
          Enter type(s) for which you will  generate  new  definition  and
          rule(s)

   -u, --user
          SELinux user(s) which will transition to this domain

   -w, --writepath
          Path(s) which the confined processes need to write

   -a, --admin
          Domain(s) which the confined admin will administrate

   --admin_user
          Generate Policy for Administrator Login User Role

   --application
          Generate Policy for User Application

   --cgi  Generate Policy for Web Application/Script (CGI)

   --confined_admin
          Generate Policy for Confined Root Administrator Role

   --customize
          Generate Policy for Existing Domain Type

   --dbus Generate Policy for DBUS System Daemon

   --desktop_user
          Generate Policy for Desktop Login User Role

   --inetd
          Generate Policy for Internet Services Daemon

   --init Generate Policy for Standard Init Daemon (Default)

   --newtype
          Generate new policy for new types to add to an existing policy.

   --sandbox
          Generate Policy for Sandbox

   --term_user
          Generate Policy for Minimal Terminal Login User Role

   --x_user
          Generate Policy for Minimal X Windows Login User Role

EXAMPLE

   > sepolicy generate --init /usr/sbin/rwhod
   Generating Policy for /usr/sbin/rwhod named rwhod
   Created the following files:
   rwhod.te # Type Enforcement file
   rwhod.if # Interface file
   rwhod.fc # File Contexts file
   rwhod_selinux.spec # Spec file
   rwhod.sh # Setup Script

AUTHOR

   This man page was written by Daniel Walsh <dwalsh@redhat.com>

SEE ALSO

   sepolicy(8), selinux(8)

                               20121005               sepolicy-generate(8)



Free and Open Source Software


Free Software Video

Useful Programs

Free Online Courses

Open Opportunity

Open Business