Use sepolicy generate to generate an SELinux policy Module.
sepolicy generate will create 5 files.
When specifying a confined application you must specify a path.
sepolicy generate will use the rpm payload of the application along
with nm -D APPLICATION to help it generate types and policy rules for
your policy files.
Type Enforcing File NAME.te
This file can be used to define all the types rules for a particular
Note: Policy generated by sepolicy generate will automatically add a
permissive DOMAIN to your te file. When you are satisfied that your
policy works, you need to remove the permissive line from the te file
to run your domain in enforcing mode.
Interface File NAME.if
This file defines the interfaces for the types generated in the te
file, which can be used by other policy domains.
File Context NAME.fc
This file defines the default file context for the system, it takes
the file types created in the te file and associates file paths to
the types. Tools like restorecon and RPM will use these paths to put
RPM Spec File NAME_selinux.spec
This file is an RPM SPEC file that can be used to install the SELinux
policy on to machines and setup the labeling. The spec file also
installs the interface file and a man page describing the policy.
You can use sepolicy manpage -d NAME to generate the man page.
Shell File NAME.sh
This is a helper shell script to compile, install and fix the
labeling on your test system. It will also generate a man page based
on the installed policy, and compile and build an RPM suitable to be
installed on other machines
If a generate is possible, this tool will print out all generate
paths from the source domain to the target domain
Display help message
Enter domain type(s) which you will be extending
Specify alternate name of policy. The policy will default to
the executable or name specified
Specify the directory to store the created policy files.
(Default to current working directory ) optional arguments:
Enter role(s) to which this admin user will transition.
Enter type(s) for which you will generate new definition and
SELinux user(s) which will transition to this domain
Path(s) which the confined processes need to write
Domain(s) which the confined admin will administrate
Generate Policy for Administrator Login User Role
Generate Policy for User Application
--cgi Generate Policy for Web Application/Script (CGI)
Generate Policy for Confined Root Administrator Role
Generate Policy for Existing Domain Type
--dbus Generate Policy for DBUS System Daemon
Generate Policy for Desktop Login User Role
Generate Policy for Internet Services Daemon
--init Generate Policy for Standard Init Daemon (Default)
Generate new policy for new types to add to an existing
Generate Policy for Sandbox
Generate Policy for Minimal Terminal Login User Role
Generate Policy for Minimal X Windows Login User Role
This page is part of the selinux (Security-Enhanced Linux user-space
libraries and tools) project. Information about the project can be
found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you
have a bug report for this manual page, see
page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2017-03-13. If you
discover any rendering problems in this HTML version of the page, or
you believe there is a better or more up-to-date source for the page,
or you have corrections or improvements to the information in this
COLOPHON (which is not part of the original manual page), send a mail