sepolicy-generate man page on RedHat
Man page or keyword search:  
man Server   29550 pages
apropos Keyword Search (all sections)
Output format
RedHat logo
[printable version] 
sepolicy-generate(8)					  sepolicy-generate(8)

NAME
       sepolicy-generate - Generate an initial SELinux policy module template.

SYNOPSIS
       Common options

       sepolicy generate [-h ] [-p PATH]

       Confined Applications

       sepolicy generate --application [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --cgi [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --dbus [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --inetd [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --init [-n NAME] command [-w WRITE_PATH ]

       Confined Users

       sepolicy generate --admin_user [-r TRANSITION_ROLE] -n NAME
       sepolicy	 generate --confined_admin -n NAME [-a ADMIN_DOMAIN] [-u USER]
       [-n NAME] [-w WRITE_PATH]
       sepolicy generate --desktop_user -n NAME [-w WRITE_PATH]
       sepolicy generate --term_user -n NAME [-w WRITE_PATH]
       sepolicy generate --x_user -n NAME [-w WRITE_PATH]

       Miscellaneous Policy

       sepolicy generate --customize -d DOMAIN -n NAME [-a ADMIN_DOMAIN]
       sepolicy generate --newtype -t type -n NAME
       sepolicy generate --sandbox -n NAME

DESCRIPTION
       Use sepolicy generate to generate an SELinux policy Module.

       sepolicy generate will create 5 files.

       When specifying a confined application you must specify a path.	sepol‐
       icy  generate will use the rpm payload of the application along with nm
       -D APPLICATION to help it generate types and policy rules for your pol‐
       icy files.

       Type Enforcing File NAME.te
       This  file  can	be used to define all the types rules for a particular
       domain.

       Note: Policy generated by sepolicy generate will	 automatically	add  a
       permissive  DOMAIN  to  your te file.  When you are satisfied that your
       policy works, you need to remove the permissive line from the  te  file
       to run your domain in enforcing mode.

       Interface File NAME.if
       This  file  defines  the	 interfaces  for the types generated in the te
       file, which can be used by other policy domains.

       File Context NAME.fc
       This file defines the default file context for the system, it takes the
       file  types  created  in	 the  te file and associates file paths to the
       types.  Tools like restorecon and RPM will use these paths to put  down
       labels.

       RPM Spec File NAME_selinux.spec
       This  file  is an RPM SPEC file that can be used to install the SELinux
       policy on to machines and  setup	 the  labeling.	 The  spec  file  also
       installs	 the interface file and a man page describing the policy.  You
       can use sepolicy manpage -d NAME to generate the man page.

       Shell File NAME.sh
       This is a helper shell script to compile, install and fix the  labeling
       on  your	 test  system.	 It will also generate a man page based on the
       installed policy, and compile and build an RPM suitable to be installed
       on other machines

       If  a generate is possible, this tool will print out all generate paths
       from the source domain to the target domain

OPTIONS
       -h, --help
	      Display help message

       -d, --domain
	      Enter domain type(s) which you will be extending

       -n, --name
	      Specify alternate name of policy. The policy will default to the
	      executable or name specified

       -p, --path
	      Specify  the  directory  to  store  the  created	policy	files.
	      (Default to current working directory ) optional arguments:

       -r, --role
	      Enter role(s) to which this admin user will transition.

       -t, --type
	      Enter type(s) for which you will	generate  new  definition  and
	      rule(s)

       -u, --user
	      SELinux user(s) which will transition to this domain

       -w, --writepath
	      Path(s) which the confined processes need to write

       -a, --admin
	      Domain(s) which the confined admin will administrate

       --admin_user
	      Generate Policy for Administrator Login User Role

       --application
	      Generate Policy for User Application

       --cgi  Generate Policy for Web Application/Script (CGI)

       --confined_admin
	      Generate Policy for Confined Root Administrator Role

       --customize
	      Generate Policy for Existing Domain Type

       --dbus Generate Policy for DBUS System Daemon

       --desktop_user
	      Generate Policy for Desktop Login User Role

       --inetd
	      Generate Policy for Internet Services Daemon

       --init Generate Policy for Standard Init Daemon (Default)

       --newtype
	      Generate new policy for new types to add to an existing policy.

       --sandbox
	      Generate Policy for Sandbox

       --term_user
	      Generate Policy for Minimal Terminal Login User Role

       --x_user
	      Generate Policy for Minimal X Windows Login User Role

EXAMPLE
       > sepolicy generate --init /usr/sbin/rwhod
       Generating Policy for /usr/sbin/rwhod named rwhod
       Created the following files in:
       rwhod.te # Type Enforcement file
       rwhod.if # Interface file
       rwhod.fc # File Contexts file
       rwhod_selinux.spec # Spec file
       rwhod.sh # Setup Script

AUTHOR
       This man page was written by Daniel Walsh <dwalsh@redhat.com>

SEE ALSO
       sepolicy(8), selinux(8)

				   20121005		  sepolicy-generate(8)
[top]

List of man pages available for RedHat

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net