176 lines
5.0 KiB
Groff
176 lines
5.0 KiB
Groff
.TH "sepolicy-generate" "8" "20121005" "" ""
|
|
.SH "NAME"
|
|
sepolicy-generate \- Generate an initial SELinux policy module template.
|
|
|
|
.SH "SYNOPSIS"
|
|
|
|
Common options
|
|
|
|
.B sepolicy generate [\-h ] [\-p PATH]
|
|
|
|
.br
|
|
|
|
Confined Applications
|
|
|
|
.br
|
|
.B sepolicy generate \-\-application [\-n NAME] [\-u USER ]command [\-w WRITE_PATH ]
|
|
.br
|
|
.B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ]
|
|
.br
|
|
.B sepolicy generate \-\-dbus [\-n NAME] command [\-w WRITE_PATH ]
|
|
.br
|
|
.B sepolicy generate \-\-inetd [\-n NAME] command [\-w WRITE_PATH ]
|
|
.br
|
|
.B sepolicy generate \-\-init [\-n NAME] command [\-w WRITE_PATH ]
|
|
|
|
Confined Users
|
|
|
|
.br
|
|
.B sepolicy generate \-\-admin_user [\-r TRANSITION_ROLE] \-n NAME
|
|
.br
|
|
.B sepolicy generate \-\-confined_admin \-n NAME [\-a ADMIN_DOMAIN] [\-u USER] [\-n NAME] [\-w WRITE_PATH]
|
|
.br
|
|
.B sepolicy generate \-\-desktop_user \-n NAME [\-w WRITE_PATH]
|
|
.br
|
|
.B sepolicy generate \-\-term_user \-n NAME [\-w WRITE_PATH]
|
|
.br
|
|
.B sepolicy generate \-\-x_user \-n NAME [\-w WRITE_PATH]
|
|
.br
|
|
|
|
Miscellaneous Policy
|
|
|
|
.br
|
|
.B sepolicy generate \-\-customize \-d DOMAIN \-n NAME [\-a ADMIN_DOMAIN]
|
|
.br
|
|
.B sepolicy generate \-\-newtype \-t type \-n NAME
|
|
.br
|
|
.B sepolicy generate \-\-sandbox \-n NAME
|
|
|
|
.SH "DESCRIPTION"
|
|
Use \fBsepolicy generate\fP to generate an SELinux policy Module.
|
|
|
|
.br
|
|
\fBsepolicy generate\fP will create 5 files.
|
|
|
|
When specifying a \fBconfined application\fP you must specify a
|
|
path. \fBsepolicy generate\fP will use the rpm payload of the
|
|
application along with \fBnm \-D APPLICATION\fP to help it generate
|
|
types and policy rules for your policy files.
|
|
|
|
.B NAME.te
|
|
.br
|
|
This file can be used to define all the types enforcement rules for a particular domain.
|
|
|
|
.I Note:
|
|
Policy generated by \fBsepolicy generate\fP will automatically add a \fIpermissive DOMAIN\fP to your \fB.te\fP file. When you are satisfied that your policy works, you need to remove the permissive line from the \fB.te\fP file to run your domain in enforcing mode.
|
|
|
|
.B NAME.if
|
|
.br
|
|
This file defines the interfaces for the types generated in the \fB.te\fP file, which can be used by other policy domains.
|
|
|
|
.B NAME.fc
|
|
.br
|
|
This file defines the default file context for the system, it takes the file types created in the \fB.te\fP file and associates
|
|
file paths to the types. Tools like restorecon and RPM will use these paths to put down labels.
|
|
|
|
.B NAME_selinux.spec
|
|
.br
|
|
This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
|
|
|
|
.B NAME.sh
|
|
.br
|
|
This is a helper shell script to compile, install and fix the labeling on your test system. It will also generate a man page based on the installed policy, and compile and build an RPM suitable to be installed on other machines.
|
|
|
|
.SH "OPTIONS"
|
|
.TP
|
|
.I \-h, \-\-help
|
|
Display help message
|
|
.TP
|
|
.I \-d, \-\-domain
|
|
Enter domain type(s) which you will be extending
|
|
.TP
|
|
.I \-n, \-\-name
|
|
Specify alternate name of policy. The policy will default to the executable or name specified
|
|
.TP
|
|
.I \-p, \-\-path
|
|
Specify the directory to store the created policy files. (Default to current working directory )
|
|
.TP
|
|
optional arguments:
|
|
.TP
|
|
.I \-r, \-\-role
|
|
Enter role(s) to which this admin user will transition
|
|
.TP
|
|
.I \-t, \-\-type
|
|
Enter type(s) for which you will generate new definition and rule(s)
|
|
.TP
|
|
.I \-u, \-\-user
|
|
SELinux user(s) which will transition to this domain
|
|
.TP
|
|
.I \-w, \-\-writepath
|
|
Path(s) which the confined processes need to write to
|
|
.TP
|
|
.I \-a, \-\-admin
|
|
Domain(s) which the confined admin will administrate
|
|
.TP
|
|
.I \-\-admin_user
|
|
Generate Policy for Administrator Login User Role
|
|
.TP
|
|
.I \-\-application
|
|
Generate Policy for User Application
|
|
.TP
|
|
.I \-\-cgi
|
|
Generate Policy for Web Application/Script (CGI)
|
|
.TP
|
|
.I \-\-confined_admin
|
|
Generate Policy for Confined Root Administrator Role
|
|
.TP
|
|
.I \-\-customize
|
|
Generate Policy for Existing Domain Type
|
|
.TP
|
|
.I \-\-dbus
|
|
Generate Policy for DBUS System Daemon
|
|
.TP
|
|
.I \-\-desktop_user
|
|
Generate Policy for Desktop Login User Role
|
|
.TP
|
|
.I \-\-inetd
|
|
Generate Policy for Internet Services Daemon
|
|
.TP
|
|
.I \-\-init
|
|
Generate Policy for Standard Init Daemon (Default)
|
|
.TP
|
|
.I \-\-newtype
|
|
Generate new policy for new types to add to an existing policy
|
|
.TP
|
|
.I \-\-sandbox
|
|
Generate Policy for Sandbox
|
|
.TP
|
|
.I \-\-term_user
|
|
Generate Policy for Minimal Terminal Login User Role
|
|
.TP
|
|
.I \-\-x_user
|
|
Generate Policy for Minimal X Windows Login User Role
|
|
|
|
.SH "EXAMPLE"
|
|
.B > sepolicy generate --init /usr/sbin/rwhod
|
|
.br
|
|
Generating Policy for /usr/sbin/rwhod named rwhod
|
|
.br
|
|
Created the following files:
|
|
.br
|
|
rwhod.te # Type Enforcement file
|
|
.br
|
|
rwhod.if # Interface file
|
|
.br
|
|
rwhod.fc # File Contexts file
|
|
.br
|
|
rwhod_selinux.spec # Spec file
|
|
.br
|
|
rwhod.sh # Setup Script
|
|
|
|
.SH "AUTHOR"
|
|
This man page was written by Daniel Walsh <dwalsh@redhat.com>
|
|
|
|
.SH "SEE ALSO"
|
|
sepolicy(8), selinux(8)
|