A SELinux policy manager, module build system, and audit utility
Go to file
Justin Collier 35e8723622
Merge branch 'patch-0.1.2'
2023-08-03 22:13:03 -07:00
CHANGELOG updated changelog 2023-08-03 22:12:50 -07:00
LICENSE 0.1.0: initial release 2023-07-31 20:29:40 -07:00
README.md converting README to markdown 2023-08-03 22:10:10 -07:00
seutl 0.1.0: initial release 2023-07-31 20:29:40 -07:00


                      __  .__
  ______ ____  __ ___/  |_|  |
 /  ___// __ \|  |  \   __\  |
 \___ \\  ___/|  |  /|  | |  |__
/____  >\___  >____/ |__| |____/
     \/     \/

usage: seutl [-hVlcadxfn] [ -[D|B] | [-rP | [-AU] -[X|I][=BIN] [-u USR] [-T TYP]... [-eEi]] ID ]
A SELinux policy manager, module build system, and audit utility.
Combines various SELinux tools and workflows into one interface.

  [SEUTL_POLICIES_DIR=/etc/selinux/seutl] - policy storage location
  [SEUTL_POLICY_PREFIX="seutl_"]          - prefix to uniquely identify seutl policies
  [EDITOR=vi]                             - editor for -e

  -h --help        display this help message and exit
  -V --version     display version and copyright information and exit

  -l --list        print a list of seutl modules and their installation state (at end)
  -c --clear       clear /var/log/audit.log* (at end)
  -a --audit       print AVC violations as allow rules (at start; uses audit.log unless -d)
  -d --dmesg       use dmesg instead of audit.log* for --audit and --allow (implies -a)
  -x --explain     attach explainations to --audit and --allow rules
  -f --force       don't ask for verification before policy changes
  -n --new         allow -AXIT to create a new policy, and prevent overwriting an existing one

  -D --doaudit     rebuild system policy without dontaudit rules (semodule -DB)
  -B --dontaudit   rebuild system policy with    dontaudit rules (semodule -B)

  -A --allow       update policy with new --audit allow rules (implies -a)
  -U --update      update policy with allow rules, install, and clear logs (implies -Aic)
  -X --exec[=BIN]  create application types for this policy
  -u --user USR    specify a SELinux user context (system_u by default); requires --exec
  -I --init[=BIN]  create init daemon types for this policy
  -T --type TYPE   add a custom type to the policy. see TYPE for details.
  -e --edit-src    edit sources before consolidation  (confirms after edit if -i and not -f)
  -E --edit-out    edit output files before make/inst (confirms after edit if -i and not -f)

  -i --install     build and install the policy
  -r --remove      remove the policy from the system
  -P --purge       erase the policy files

  Policy ID (loaded into the system as "${SEUTL_POLICY_PREFIX}_ID")

  The binary to associate with ID_exec_t (may be in PATH or an absolute or relative path).
  Unnecessary if same as ID.

  Represents a type name (e.g. ID=foo, TYP=etc --> foo_etc_t).

  Several names are understood by sepolicy generate --newtype:

    tmp        -->  ID_tmp_t      unit_file  -->  ID_unit_file_t
    var_cache  -->  ID_cache_t    var_lib    -->  ID_var_lib_t
    var_log    -->  ID_log_t      var_run    -->  ID_var_run_t
    var_spool  -->  ID_spool_t    port       -->  ID_port_t

  All other names will create a simple type definition and
  files_type attribution instead of using sepolicy generate.

jpcx.dev/seutl 0.1.0

Copyright (C) 2023 Justin Collier <m@jpcx.dev>
License  AGPLv3+:  GNU  Affero GPL  version 3 or later
<https://gnu.org/licenses/agpl-3.0.html>. This is free
software:  you are free to change and redistribute it.
There is NO WARRANTY,  to the extent permitted by law.