Provided by: policycoreutils-dev_3.4-1_amd64 bug


       sepolicy-generate - Generate an initial SELinux policy module template.


       Common options

       sepolicy generate [-h ] [-p PATH]

       Confined Applications

       sepolicy generate --application [-n NAME] [-u USER ]command [-w WRITE_PATH ]
       sepolicy generate --cgi [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --dbus [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --inetd [-n NAME] command [-w WRITE_PATH ]
       sepolicy generate --init [-n NAME] command [-w WRITE_PATH ]

       Confined Users

       sepolicy generate --admin_user [-r TRANSITION_ROLE] -n NAME
       sepolicy  generate  --confined_admin  -n  NAME  [-a  ADMIN_DOMAIN] [-u USER] [-n NAME] [-w
       sepolicy generate --desktop_user -n NAME [-w WRITE_PATH]
       sepolicy generate --term_user -n NAME [-w WRITE_PATH]
       sepolicy generate --x_user -n NAME [-w WRITE_PATH]

       Miscellaneous Policy

       sepolicy generate --customize -d DOMAIN -n NAME [-a ADMIN_DOMAIN]
       sepolicy generate --newtype -t type -n NAME
       sepolicy generate --sandbox -n NAME


       Use sepolicy generate to generate an SELinux policy Module.

       sepolicy generate will create 5 files.

       When specifying a confined application you must specify a path. sepolicy generate will use
       the  rpm payload of the application along with nm -D APPLICATION to help it generate types
       and policy rules for your policy files.

       Type Enforcing File NAME.te
       This file can be used to define all the types rules for a particular domain.

       Note: Policy generated by sepolicy generate will automatically add a permissive DOMAIN  to
       your  te  file.   When  you  are  satisfied that your policy works, you need to remove the
       permissive line from the te file to run your domain in enforcing mode.

       Interface File NAME.if
       This file defines the interfaces for the types generated in the te file, which can be used
       by other policy domains.

       File Context NAME.fc
       This file defines the default file context for the system, it takes the file types created
       in the te file and associates file paths to the types.  Tools like restorecon and RPM will
       use these paths to put down labels.

       RPM Spec File NAME_selinux.spec
       This  file  is  an  RPM  SPEC  file  that  can be used to install the SELinux policy on to
       machines and setup the labeling. The spec file also installs the interface file and a  man
       page  describing  the  policy.   You  can use sepolicy manpage -d NAME to generate the man

       Shell File
       This is a helper shell script to compile, install  and  fix  the  labeling  on  your  test
       system.   It  will also generate a man page based on the installed policy, and compile and
       build an RPM suitable to be installed on other machines

       If a generate is possible, this tool will print out all generate  paths  from  the  source
       domain to the target domain


       -h, --help
              Display help message

       -d, --domain
              Enter domain type(s) which you will be extending

       -n, --name
              Specify alternate name of policy. The policy will default to the executable or name

       -p, --path
              Specify the directory to store  the  created  policy  files.  (Default  to  current
              working directory ) optional arguments:

       -r, --role
              Enter role(s) to which this admin user will transition.

       -t, --type
              Enter type(s) for which you will generate new definition and rule(s)

       -u, --user
              SELinux user(s) which will transition to this domain

       -w, --writepath
              Path(s) which the confined processes need to write

       -a, --admin
              Domain(s) which the confined admin will administrate

              Generate Policy for Administrator Login User Role

              Generate Policy for User Application

       --cgi  Generate Policy for Web Application/Script (CGI)

              Generate Policy for Confined Root Administrator Role

              Generate Policy for Existing Domain Type

       --dbus Generate Policy for DBUS System Daemon

              Generate Policy for Desktop Login User Role

              Generate Policy for Internet Services Daemon

       --init Generate Policy for Standard Init Daemon (Default)

              Generate new policy for new types to add to an existing policy.

              Generate Policy for Sandbox

              Generate Policy for Minimal Terminal Login User Role

              Generate Policy for Minimal X Windows Login User Role


       > sepolicy generate --init /usr/sbin/rwhod
       Generating Policy for /usr/sbin/rwhod named rwhod
       Created the following files:
       rwhod.te # Type Enforcement file
       rwhod.if # Interface file
       rwhod.fc # File Contexts file
       rwhod_selinux.spec # Spec file # Setup Script


       This man page was written by Daniel Walsh <>


       sepolicy(8), selinux(8)

                                             20121005                        sepolicy-generate(8)