seedit-template -r <role> -u <user> -o <output directory>If you specify -o option, configuration is written to file, before writing to file, run command without -o option to make sure.
Following is example of generating configuration for webmaster_r role.
# seedit-template -r webmaster_r -u webmaster
{
role webmaster_r;
user webmaster;
include user_common.sp;
include common-relaxed.sp;
allow ~/** r,w,s;
allowpriv part_relabel;
allowpriv dac_override;
allowpriv dac_read_search;
}
Template configuration is generated. user webmaster can use webmaster_r
role. By include common configurations to behave as login user is
imported, system critical access rights are not allowed here.
And webmaster_t is allowed to access user webmaster's home
directory(When user webmaster login as webmaster_r he can access his
home directory).
allowpriv part_relabel;This is necessary to use restorecon. You can use restorecon to files those webmaster_r is writable. If you do not use restorecon, delete this.
allowpriv dac_override; allowpriv dac_read_search;Those are necessary to skip Linux permission check.