5.2 Contents of directory for simplified policy

Sample simplified policy is located at "/etc/selinux/seedit/src/policy/". Some directories and files are located there.

5.2.1 simplified_policy

This is the most important. At the directory sample simplified policy is stored. For detail of syntax for simplified policy, see 8.
Sample simplified policy are described in global, and domain.te

• global
  This is a configuration commonly used by all domains. Be careful that some access rights(For example, tmpfs usage, tty device access) are granted by default to show that SELinux can become easy.
• domain.a
  Here configuration for domains are described. For example,in file httpd_t.a, configuration for httpd_t domain is described.
• all
  global, and *.a are jointed. converter reads this file. This file is automatically generated. Do not edit.

5.2.2 Makefile

This is Makefile to compile simplified policy and to load policy to kernel. See 5.3.

5.2.3 base_policy

Files in this directory is used by converter to generate SELinux policy. Usually you do not have to touch them.

• default.te
  This file is useful. Statements described in this file is included in policy to be generated by converter. In addition, you can write original SELinux's rules here. To write auditallow rule is a good idea. But allow rules must not be written here, because it can break the security of generated policy.

• unsupported.te
  Statements described in this file is included in policy to be generated by converter. In this file, unsupported permissions are described. Permissions described in this file is allowed to all domain. Do not edit them.
• attribute.te
  In this file, attributes used in policy to be generated by converter is described. Do not edit.
• types.te
  In this file, types used in policy generated by converter is described. Do not edit.
  The meaning of below files are the same as original SELinux's policy. Do not edit them.
  • genfs_contexts
    File system that are unlabeled are not supported.
  • security_classes
  • access_vectors
  • initial_sid_contexts
  • fs_use
  • initial_sids

5.2.4 macros

Macros to generate SELinux policy is stored. Converter generates policy including macros. In make, macros are processed by m4 and policy.conf is generated.

5.2.5 sepolicy

Generated SELinux policy is written in this directory.

• test.conf
  Policy that includes macros.
• policy.conf Policy file that is processed by m4. This is understandable by checkpolicy.
• file_contexts
  This will be installed in /etc/selinux/seedit/contexts/files/file_contexts.