|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLE | AUTHOR | SEE ALSO | COLOPHON |
|
|
|
sepolicy-generate(8) sepolicy-generate(8)
sepolicy-generate - Generate an initial SELinux policy module
template.
Common options
sepolicy generate [-h ] [-p PATH]
Confined Applications
sepolicy generate --application [-n NAME] [-u USER ]command [-w
WRITE_PATH ]
sepolicy generate --cgi [-n NAME] command [-w WRITE_PATH ]
sepolicy generate --dbus [-n NAME] command [-w WRITE_PATH ]
sepolicy generate --inetd [-n NAME] command [-w WRITE_PATH ]
sepolicy generate --init [-n NAME] command [-w WRITE_PATH ]
Confined Users
sepolicy generate --admin_user [-r TRANSITION_ROLE] -n NAME
sepolicy generate --confined_admin -n NAME [-a ADMIN_DOMAIN] [-u
USER] [-n NAME] [-w WRITE_PATH]
sepolicy generate --desktop_user -n NAME [-w WRITE_PATH]
sepolicy generate --term_user -n NAME [-w WRITE_PATH]
sepolicy generate --x_user -n NAME [-w WRITE_PATH]
Miscellaneous Policy
sepolicy generate --customize -d DOMAIN -n NAME [-a ADMIN_DOMAIN]
sepolicy generate --newtype -t type -n NAME
sepolicy generate --sandbox -n NAME
Use sepolicy generate to generate an SELinux policy Module.
sepolicy generate will create 5 files.
When specifying a confined application you must specify a path.
sepolicy generate will use the rpm payload of the application
along with nm -D APPLICATION to help it generate types and policy
rules for your policy files.
NAME.te
This file can be used to define all the types enforcement rules
for a particular domain.
Note: Policy generated by sepolicy generate will automatically add
a permissive DOMAIN to your .te file. When you are satisfied that
your policy works, you need to remove the permissive line from the
.te file to run your domain in enforcing mode.
NAME.if
This file defines the interfaces for the types generated in the
.te file, which can be used by other policy domains.
NAME.fc
This file defines the default file context for the system, it
takes the file types created in the .te file and associates file
paths to the types. Tools like restorecon and RPM will use these
paths to put down labels.
NAME_selinux.spec
This file is an RPM SPEC file that can be used to install the
SELinux policy on to machines and setup the labeling. The spec
file also installs the interface file and a man page describing
the policy. You can use sepolicy manpage -d NAME to generate the
man page.
NAME.sh
This is a helper shell script to compile, install and fix the
labeling on your test system. It will also generate a man page
based on the installed policy, and compile and build an RPM
suitable to be installed on other machines.
-h, --help
Display help message
-d, --domain
Enter domain type(s) which you will be extending
-n, --name
Specify alternate name of policy. The policy will default
to the executable or name specified
-p, --path
Specify the directory to store the created policy files.
(Default to current working directory )
optional arguments:
-r, --role
Enter role(s) to which this admin user will transition
-t, --type
Enter type(s) for which you will generate new definition
and rule(s)
-u, --user
SELinux user(s) which will transition to this domain
-w, --writepath
Path(s) which the confined processes need to write to
-a, --admin
Domain(s) which the confined admin will administrate
--admin_user
Generate Policy for Administrator Login User Role
--application
Generate Policy for User Application
--cgi Generate Policy for Web Application/Script (CGI)
--confined_admin
Generate Policy for Confined Root Administrator Role
--customize
Generate Policy for Existing Domain Type
--dbus Generate Policy for DBUS System Daemon
--desktop_user
Generate Policy for Desktop Login User Role
--inetd
Generate Policy for Internet Services Daemon
--init Generate Policy for Standard Init Daemon (Default)
--newtype
Generate new policy for new types to add to an existing
policy
--sandbox
Generate Policy for Sandbox
--term_user
Generate Policy for Minimal Terminal Login User Role
--x_user
Generate Policy for Minimal X Windows Login User Role
> sepolicy generate --init /usr/sbin/rwhod
Generating Policy for /usr/sbin/rwhod named rwhod
Created the following files:
rwhod.te # Type Enforcement file
rwhod.if # Interface file
rwhod.fc # File Contexts file
rwhod_selinux.spec # Spec file
rwhod.sh # Setup Script
This man page was written by Daniel Walsh <[email protected]>
sepolicy(8), selinux(8)
This page is part of the selinux (Security-Enhanced Linux user-
space libraries and tools) project. Information about the project
can be found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩.
If you have a bug report for this manual page, see
⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩.
This page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2025-08-11. (At
that time, the date of the most recent commit that was found in
the repository was 2025-08-04.) If you discover any rendering
problems in this HTML version of the page, or you believe there is
a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
[email protected]
20121005 sepolicy-generate(8)
Pages that refer to this page: selinux-polgengui(8), sepolicy(8)
|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|