Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

sepolicy(8) [centos man page]

sepolicy(8)															       sepolicy(8)

sepolicy - SELinux Policy Inspection tool SYNOPSIS
sepolicy [-h] [-P policy_path ] {booleans,communicate,generate,interface,manpage,network,transition} OPTIONS Arguments: booleans Query SELinux policy to see description of booleans sepolicy-boolean(8) communicate Query SELinux policy to see if domains can communicate with each other sepolicy-communicate(8) generate Generate SELinux Policy module template gui Launch Graphical User Interface for SELinux Policy, requires policycoreutils-gui package. sepolicy-generate(8) interface Print SELinux Policy interface information sepolicy-interface(8) manpage Generate SELinux man pages sepolicy-manpage(8) network Query SELinux policy network information sepolicy-network(8) transition Query SELinux Policy to see how a source process domain can transition to the target process domain sepolicy-transition(8) DESCRIPTION
sepolicy is a tools set that will query the installed SELinux policy and generate useful reports, man pages, or even new policy modules. See the argument specific man pages for options and descriptions. OPTIONS
-P, --policy Alternate policy to analyze. (Defaults to currently installed policy /sys/fs/selinux/policy) -h, --help Display help message AUTHOR
This man page was written by Daniel Walsh <> SEE ALSO
selinux(8), sepolicy-booleans(8), sepolicy-communicate(8), sepolicy-generate(8),sepolicy-gui(8), sepolicy-interface(8), sepolicy-net- work(8), sepolicy-manpage(8), sepolicy-transition(8) 20121005 sepolicy(8)

Check Out this Related Man Page

sepolicy-generate(8)													      sepolicy-generate(8)

sepolicy-generate - Generate an initial SELinux policy module template. SYNOPSIS
Common options sepolicy generate [-h ] [-p PATH] Confined Applications sepolicy generate --application [-n NAME] [-u USER ]command [-w WRITE_PATH ] sepolicy generate --cgi [-n NAME] command [-w WRITE_PATH ] sepolicy generate --dbus [-n NAME] command [-w WRITE_PATH ] sepolicy generate --inetd [-n NAME] command [-w WRITE_PATH ] sepolicy generate --init [-n NAME] command [-w WRITE_PATH ] Confined Users sepolicy generate --admin_user [-r TRANSITION_ROLE] -n NAME sepolicy generate --confined_admin -n NAME [-a ADMIN_DOMAIN] [-u USER] [-n NAME] [-w WRITE_PATH] sepolicy generate --desktop_user -n NAME [-w WRITE_PATH] sepolicy generate --term_user -n NAME [-w WRITE_PATH] sepolicy generate --x_user -n NAME [-w WRITE_PATH] Miscellaneous Policy sepolicy generate --customize -d DOMAIN -n NAME [-a ADMIN_DOMAIN] sepolicy generate --newtype -t type -n NAME sepolicy generate --sandbox -n NAME DESCRIPTION
Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will create 5 files. When specifying a confined application you must specify a path. sepolicy generate will use the rpm payload of the application along with nm -D APPLICATION to help it generate types and policy rules for your policy files. Type Enforcing File NAME.te This file can be used to define all the types rules for a particular domain. Note: Policy generated by sepolicy generate will automatically add a permissive DOMAIN to your te file. When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode. Interface File NAME.if This file defines the interfaces for the types generated in the te file, which can be used by other policy domains. File Context NAME.fc This file defines the default file context for the system, it takes the file types created in the te file and associates file paths to the types. Tools like restorecon and RPM will use these paths to put down labels. RPM Spec File NAME_selinux.spec This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use sepolicy manpage -d NAME to generate the man page. Shell File This is a helper shell script to compile, install and fix the labeling on your test system. It will also generate a man page based on the installed policy, and compile and build an RPM suitable to be installed on other machines If a generate is possible, this tool will print out all generate paths from the source domain to the target domain OPTIONS
-h, --help Display help message -d, --domain Enter domain type(s) which you will be extending -n, --name Specify alternate name of policy. The policy will default to the executable or name specified -p, --path Specify the directory to store the created policy files. (Default to current working directory ) optional arguments: -r, --role Enter role(s) to which this admin user will transition. -t, --type Enter type(s) for which you will generate new definition and rule(s) -u, --user SELinux user(s) which will transition to this domain -w, --writepath Path(s) which the confined processes need to write -a, --admin Domain(s) which the confined admin will administrate --admin_user Generate Policy for Administrator Login User Role --application Generate Policy for User Application --cgi Generate Policy for Web Application/Script (CGI) --confined_admin Generate Policy for Confined Root Administrator Role --customize Generate Policy for Existing Domain Type --dbus Generate Policy for DBUS System Daemon --desktop_user Generate Policy for Desktop Login User Role --inetd Generate Policy for Internet Services Daemon --init Generate Policy for Standard Init Daemon (Default) --newtype Generate new policy for new types to add to an existing policy. --sandbox Generate Policy for Sandbox --term_user Generate Policy for Minimal Terminal Login User Role --x_user Generate Policy for Minimal X Windows Login User Role EXAMPLE
> sepolicy generate --init /usr/sbin/rwhod Generating Policy for /usr/sbin/rwhod named rwhod Created the following files in: rwhod.te # Type Enforcement file rwhod.if # Interface file rwhod.fc # File Contexts file rwhod_selinux.spec # Spec file # Setup Script AUTHOR
This man page was written by Daniel Walsh <> SEE ALSO
sepolicy(8), selinux(8) 20121005 sepolicy-generate(8)
Man Page