Provided by: selinux-policy-dev_2.20190201-3_all bug


       policygentool - Interactive SELinux policy generation tool


       policygentool [options] <Module Name> <full path for application binary file>


       This  tool  generate  three  files for policy development, A Type Enforcement (te) file, a
       File Context (fc), and a Interface File(if).  Most of the policy rules will be written  in
       the  te  file.   Use  the File Context file to associate file paths with security context.
       Use the interface rules to allow other  protected  domains  to  interact  with  the  newly
       defined domains.

       The  tool prompts for locations of pidfiles, any logfiles, files in /var/lib, and any init
       scripts, and whether any network access is desirable for the application.  The  tool  then
       generates  the  appropriate  policy  rules  for  the  module.  After these files have been
       generated,   the   make   files   for   the   appropriate    SELinux    policy,    namely,
       /usr/share/selinux/refpolicy-targeted/include/Makefile   or  /usr/share/selinux/refpolicy-
       strict/include/Makefile can be used to compile the SELinux  policy  policy  package.   The
       resulting policy package can be loaded using semodule.

         # /usr/bin/policygentool myapp /usr/bin/myapp
         # cat >Makefile
         > HEADERDIR:=/usr/share/selinux/refpolicy-targeted/include
         > include $(HEADERDIR)/Makefile
         > ^D
         # make
         # semodule -l myapp.pp
         # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
         # setenforce 0
         # /etc/init.d/myapp start
         # audit2allow -R -i /var/log/audit/audit.log


       -h, --help
              Print a short usage message.


       myapp.te, myapp.if, myapp.fc.


       semodule(8), check_policy(8), load_policy(8).


       None known.


       This  manual  page  was  written by Manoj Srivastava <>, for the Debian
       GNU/Linux system.