New Security Feature in Fedora 18 Part 8: Introducing sepolicy generate

sepolgen is the tool that I recommend people use to start generating policy.  We have decided to merge this tool into the sepolicy suite

sepolicy generate

man sepolicy-generate

sepolicy-generate(8)                                                                                                                                            sepolicy-generate(8)

       sepolicy-generate - Generate an initial SELinux policy module template.

       sepolicy generate [-h] [-t TYPE] [-n NAME] [-T TEST] [ command | confineduser ]

       Use sepolicy generate to generate an SELinux policy Module.  sepolicy generate will generate 4 files.

       Type Enforcing File NAME.te
       This file can be used to define all the types rules for a particular domain.

       Interface File NAME.if
       This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.

       File Context NAME.fc
       This  file defines the default file context for the system, it takes the file types created in the te file and associates file paths to the types.  Tools like restorecon and RPM will use these paths to put down labels.

       RPM Spec File NAME_selinux.spec
       This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labelling. The spec file also installs the interface file  and  a  man page describing the policy.  You can use sepolicy manpage -d NAME to generate the man page.

       Shell File
       This  is a helper shell script to compile, install and fix the labelling on your test system.  It will also generate a man page based on the installed policy, and compile and
       build an RPM suitable to be installed on other machines

       If a generate is possible, this tool will print out all generate paths from the source domain to the target domain

       -h, --help
              Display help message

       -t, --type
              Specify the type of policy you want to create.
              Valid Options:
              0 : Standard Init Daemon (Default)
              1 : DBUS System Daemon
              2 : Internet Services Daemon
              3 : Web Application/Script (CGI)
              4 : User Application
              5 : Sandbox
              6 : Minimal Terminal User Role
              7 : Minimal X Windows User Role
              8 : User Role
              9 : Admin User Role
              10 : Root Admin User Role
       -n, --name
              Specify alternate name of policy. The policy will default to the executable or name specified.

       sepolicy generate /usr/sbin/rwhod
       Generating Policy for /usr/sbin/rwhod named rwhod
       Created the following files in:
       rwhod.te # Type Enforcement file
       rwhod.if # Interface file
       rwhod.fc # File Contexts file
       rwhod_selinux.spec # Spec file # Setup Script

sepolicy generate has some nice new features over sepolgen.
  1. sepolicy generate does not to be run as root.
  2. sepolicy generate now generates a RPM spec file. This spec file can be used to build and RPM package that will install the policy package file (pp) and interface file (if) in the correct location, install it into the kernel and fix the labelling.
  3. The sepolicy generated setup script continues to install the policy and setup the labelling, and also generates a man page based on the installed policy using sepolicy manpage, finally it build and compiles the policy and man page into an rpm ready to be installed on other machines.
selinux-polgengui no longer needs to be run as root either, since it is using the sepolicy generate python bindings to generate the policy files. sepolgen command will now just execute sepolicy generate as a shell script.


Log in

No account? Create an account