Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   sepolicy-generate    ( 8 )

создайте начальный шаблон модуля политики SELinux (Generate an initial SELinux policy module template.)

Имя (Name)

sepolicy-generate - Generate an initial SELinux policy module
       template.

Синопсис (Synopsis)

Common options


       sepolicy generate [-h ] [-p PATH]


       Confined Applications


       sepolicy generate --application [-n NAME] [-u USER ]command [-w
       WRITE_PATH ]
       sepolicy generate --cgi [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --dbus [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --inetd [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --init [-n NAME] command [-w WRITE_PATH ]


       Confined Users


       sepolicy generate --admin_user [-r TRANSITION_ROLE] -n NAME
       sepolicy generate --confined_admin -n NAME [-a ADMIN_DOMAIN] [-u
       USER] [-n NAME] [-w WRITE_PATH]
       sepolicy generate --desktop_user -n NAME [-w WRITE_PATH]
       sepolicy generate --term_user -n NAME [-w WRITE_PATH]
       sepolicy generate --x_user -n NAME [-w WRITE_PATH]


       Miscellaneous Policy


       sepolicy generate --customize -d DOMAIN -n NAME [-a ADMIN_DOMAIN]
       sepolicy generate --newtype -t type -n NAME
       sepolicy generate --sandbox -n NAME

Описание (Description)

Use sepolicy generate to generate an SELinux policy Module.


       sepolicy generate will create 5 files.


       When specifying a confined application you must specify a path.
       sepolicy generate will use the rpm payload of the application
       along with nm -D APPLICATION to help it generate types and policy
       rules for your policy files.


       Type Enforcing File NAME.te
       This file can be used to define all the types rules for a
       particular domain.


       Note: Policy generated by sepolicy generate will automatically
       add a permissive DOMAIN to your te file.  When you are satisfied
       that your policy works, you need to remove the permissive line
       from the te file to run your domain in enforcing mode.


       Interface File NAME.if
       This file defines the interfaces for the types generated in the
       te file, which can be used by other policy domains.


       File Context NAME.fc
       This file defines the default file context for the system, it
       takes the file types created in the te file and associates file
       paths to the types.  Tools like restorecon and RPM will use these
       paths to put down labels.


       RPM Spec File NAME_selinux.spec
       This file is an RPM SPEC file that can be used to install the
       SELinux policy on to machines and setup the labeling. The spec
       file also installs the interface file and a man page describing
       the policy.  You can use sepolicy manpage -d NAME to generate the
       man page.


       Shell File NAME.sh
       This is a helper shell script to compile, install and fix the
       labeling on your test system.  It will also generate a man page
       based on the installed policy, and compile and build an RPM
       suitable to be installed on other machines


       If a generate is possible, this tool will print out all generate
       paths from the source domain to the target domain

Параметры (Options)

-h, --help
              Display help message


       -d, --domain
              Enter domain type(s) which you will be extending


       -n, --name
              Specify alternate name of policy. The policy will default
              to the executable or name specified


       -p, --path
              Specify the directory to store the created policy files.
              (Default to current working directory ) optional
              arguments:


       -r, --role
              Enter role(s) to which this admin user will transition.


       -t, --type
              Enter type(s) for which you will generate new definition
              and rule(s)


       -u, --user
              SELinux user(s) which will transition to this domain


       -w, --writepath
              Path(s) which the confined processes need to write


       -a, --admin
              Domain(s) which the confined admin will administrate


       --admin_user
              Generate Policy for Administrator Login User Role


       --application
              Generate Policy for User Application


       --cgi  Generate Policy for Web Application/Script (CGI)


       --confined_admin
              Generate Policy for Confined Root Administrator Role


       --customize
              Generate Policy for Existing Domain Type


       --dbus Generate Policy for DBUS System Daemon


       --desktop_user
              Generate Policy for Desktop Login User Role


       --inetd
              Generate Policy for Internet Services Daemon


       --init Generate Policy for Standard Init Daemon (Default)


       --newtype
              Generate new policy for new types to add to an existing
              policy.


       --sandbox
              Generate Policy for Sandbox


       --term_user
              Generate Policy for Minimal Terminal Login User Role


       --x_user
              Generate Policy for Minimal X Windows Login User Role

Примеры (Examples)

> sepolicy generate --init /usr/sbin/rwhod
       Generating Policy for /usr/sbin/rwhod named rwhod
       Created the following files:
       rwhod.te # Type Enforcement file
       rwhod.if # Interface file
       rwhod.fc # File Contexts file
       rwhod_selinux.spec # Spec file
       rwhod.sh # Setup Script