sepolgen(8) — Linux manual page


sepolicy-generate(8)                                    sepolicy-generate(8)

NAME         top

       sepolicy-generate  -  Generate  an initial SELinux policy module tem‐

SYNOPSIS         top

       Common options

       sepolicy generate [-h ] [-p PATH]

       Confined Applications

       sepolicy generate --application [-n NAME] [-u USER ]command [-w
       WRITE_PATH ]
       sepolicy generate --cgi [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --dbus [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --inetd [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --init [-n NAME] command [-w WRITE_PATH ]

       Confined Users

       sepolicy generate --admin_user [-r TRANSITION_ROLE] -n NAME
       sepolicy generate --confined_admin -n NAME [-a ADMIN_DOMAIN] [-u
       USER] [-n NAME] [-w WRITE_PATH]
       sepolicy generate --desktop_user -n NAME [-w WRITE_PATH]
       sepolicy generate --term_user -n NAME [-w WRITE_PATH]
       sepolicy generate --x_user -n NAME [-w WRITE_PATH]

       Miscellaneous Policy

       sepolicy generate --customize -d DOMAIN -n NAME [-a ADMIN_DOMAIN]
       sepolicy generate --newtype -t type -n NAME
       sepolicy generate --sandbox -n NAME

DESCRIPTION         top

       Use sepolicy generate to generate an SELinux policy Module.

       sepolicy generate will create 5 files.

       When specifying a confined application you must specify a path.
       sepolicy generate will use the rpm payload of the application along
       with nm -D APPLICATION to help it generate types and policy rules for
       your policy files.

       Type Enforcing File NAME.te
       This file can be used to define all the types rules for a particular

       Note: Policy generated by sepolicy generate will automatically add a
       permissive DOMAIN to your te file.  When you are satisfied that your
       policy works, you need to remove the permissive line from the te file
       to run your domain in enforcing mode.

       Interface File NAME.if
       This file defines the interfaces for the types generated in the te
       file, which can be used by other policy domains.

       File Context NAME.fc
       This file defines the default file context for the system, it takes
       the file types created in the te file and associates file paths to
       the types.  Tools like restorecon and RPM will use these paths to put
       down labels.

       RPM Spec File NAME_selinux.spec
       This file is an RPM SPEC file that can be used to install the SELinux
       policy on to machines and setup the labeling. The spec file also
       installs the interface file and a man page describing the policy.
       You can use sepolicy manpage -d NAME to generate the man page.

       Shell File
       This is a helper shell script to compile, install and fix the
       labeling on your test system.  It will also generate a man page based
       on the installed policy, and compile and build an RPM suitable to be
       installed on other machines

       If a generate is possible, this tool will print out all generate
       paths from the source domain to the target domain

OPTIONS         top

       -h, --help
              Display help message

       -d, --domain
              Enter domain type(s) which you will be extending

       -n, --name
              Specify alternate name of policy. The policy will default to
              the executable or name specified

       -p, --path
              Specify the directory to store the created policy files.
              (Default to current working directory ) optional arguments:

       -r, --role
              Enter role(s) to which this admin user will transition.

       -t, --type
              Enter type(s) for which you will generate new definition and

       -u, --user
              SELinux user(s) which will transition to this domain

       -w, --writepath
              Path(s) which the confined processes need to write

       -a, --admin
              Domain(s) which the confined admin will administrate

              Generate Policy for Administrator Login User Role

              Generate Policy for User Application

       --cgi  Generate Policy for Web Application/Script (CGI)

              Generate Policy for Confined Root Administrator Role

              Generate Policy for Existing Domain Type

       --dbus Generate Policy for DBUS System Daemon

              Generate Policy for Desktop Login User Role

              Generate Policy for Internet Services Daemon

       --init Generate Policy for Standard Init Daemon (Default)

              Generate new policy for new types to add to an existing

              Generate Policy for Sandbox

              Generate Policy for Minimal Terminal Login User Role

              Generate Policy for Minimal X Windows Login User Role

EXAMPLE         top

       > sepolicy generate --init /usr/sbin/rwhod
       Generating Policy for /usr/sbin/rwhod named rwhod
       Created the following files:
       rwhod.te # Type Enforcement file
       rwhod.if # Interface file
       rwhod.fc # File Contexts file
       rwhod_selinux.spec # Spec file # Setup Script

AUTHOR         top

       This man page was written by Daniel Walsh <>

SEE ALSO         top

       sepolicy(8), selinux(8)

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository
       ⟨⟩ on 2020-09-18.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2020-09-17.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not part
       of the original manual page), send a mail to

                                  20121005              sepolicy-generate(8)