policy_module(MODULENAME,1.0) # NOTE: # Replace MODULENAME with desired module # name ending with a .te suffix. # Do not give the module name the same name as a current module shipped in the # policy package, or your new module will overwrite it. # # FOR EXAMPLE: mypolicy.te # # You can build/load the module using: # make -f /usr/share/selinux/devel/Makefile MODULENAME.PP # semodule -i MODULENAME.PP # # Replace DOMAIN_t with the source type(s) you want to add rule for. # Replace FILE_t with the target type(s) you want to add rule for. # Replace ROLE_t with the role type(s) you want to add rule for. # # The /usr/sbin/audit2allow command can generate these rules for you from # AVC messages in /var/log/audit/audit.log or /var/log/messages # # grep DOMAIN_T /var/log/audit/audit.log | audit2allow -R >> MODULENAME.te # # Or you can use audit2allow to generate the entire module itself. # grep DOMAIN_T /var/log/audit/audit.log | audit2allow -R -M MODULENAME # # If you are generating a brand new policy from scratch, you probably should use # sepolicy generate /PATHTO/EXE # ######################################## # # Declarations # # If you want to require TYPE, ROLE # then uncomment the following lines: # # require { # type DOMAIN_t; # type FILE_t; # role ROLE_r; # } ######################################## # # MODULENAME local policy # # Example ALLOW/DONTAUDIT rules # allow DOMAIN_t self:process signal; # allow DOMAIN_t FILE_t:file append; # dontaudit DOMAIN_t FILE_t:file write;