NAME

       policygentool - Interactive SELinux policy generation tool

SYNOPSIS

       policygentool [options] <Module Name> <full path for application binary file>

DESCRIPTION

       This tool generate three files for policy development, A Type Enforcement (te) file, a File Context (fc),
       and a Interface File(if).  Most of the policy rules will be written in the te file.  Use the File Context
       file  to  associate  file  paths with security context.  Use the interface rules to allow other protected
       domains to interact with the newly defined domains.

       The tool prompts for locations of pidfiles, any logfiles, files in /var/lib, and any  init  scripts,  and
       whether  any  network  access  is  desirable for the application. The tool then generates the appropriate
       policy rules for the module.  After these files have been generated, the make files for  the  appropriate
       SELinux       policy,       namely,       /usr/share/selinux/refpolicy-targeted/include/Makefile       or
       /usr/share/selinux/refpolicy-strict/include/Makefile can be used to compile  the  SELinux  policy  policy
       package.  The resulting policy package can be loaded using semodule.

         # /usr/bin/policygentool myapp /usr/bin/myapp
         # cat >Makefile
         > HEADERDIR:=/usr/share/selinux/refpolicy-targeted/include
         > include $(HEADERDIR)/Makefile
         > ^D
         # make
         # semodule -l myapp.pp
         # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
         # setenforce 0
         # /etc/init.d/myapp start
         # audit2allow -R -i /var/log/audit/audit.log

OPTIONS

       -h, --help
              Print a short usage message.

FILES

       myapp.te, myapp.if, myapp.fc.

SEE ALSO

       semodule(8), check_policy(8), load_policy(8).

BUGS

       None known.

AUTHOR

       This manual page was written by Manoj Srivastava <srivasta@debian.org>, for the Debian GNU/Linux system.