On Tue, 2014-01-21 at 14:21 +0000, William Hargrove wrote: > I want to convert the selinux commands that I have created for a > custom install of apache into an selinux policy such that it could be > applied to multiple machines using puppet. > Its (next to) possible but it will be rather ugly You can make the booleans unconditional by just adding the conditional rules unconditionally The workaround you did for the httpd_port_t addition is ugly but it works The file context specs can be done as shown below. My example below may have typos and errors (i havent tested it) and this pos e-mail client messes with the format. Its a compromise for sure, but compromises can be made The below would be it for Fedora 20: cat >> mytest.te <<EOF policy_module(mytest, 1.0.0) gen_require(\` type httpd_sys_script_t, httpd_suexec_t; attribute client_packet_type, port_type; type node_t, netif_t, port_t; type httpd_exec_t, httpd_sys_content_t, httpd_t, httpd_var_run_t; type http_cache_port_t, http__port_t, gopher_client_packet_t; attribute ephemeral_port_type; type http_cache_client_packet_t; type ftp_port_t, memcache_port_t, ftp_client_packet_t; type http_client_packet_t, squid_port_t, gopher_port_t; type squid_client_packet_t; ') allow httpd_t http_cache_port_t : tcp_socket name_connect ; allow httpd_t http_port_t : tcp_socket name_connect ; allow httpd_t gopher_client_packet_t : packet { send recv } ; allow httpd_t ephemeral_port_type : tcp_socket name_connect ; allow httpd_t http_cache_client_packet_t : packet { send recv } ; allow httpd_t ftp_port_t : tcp_socket name_connect ; allow httpd_t memcache_port_t : tcp_socket name_connect ; allow httpd_t ftp_client_packet_t : packet { send recv } ; allow httpd_t http_client_packet_t : packet { send recv } ; allow httpd_t squid_port_t : tcp_socket name_connect ; allow httpd_t gopher_port_t : tcp_socket name_connect ; allow httpd_t squid_client_packet_t : packet { send recv } ; allow httpd_t httpd_exec_t:dir search; allow httpd_t httpd_var_run_t:lnk_file read; allow httpd_t port_t:tcp_socket name_bind; allow httpd_sys_script_t client_packet_type : packet { send recv } ; allow httpd_suexec_t port_type : tcp_socket { recv_msg send_msg name_connect } ; allow httpd_suexec_t port_type : udp_socket { recv_msg send_msg } ; allow httpd_sys_script_t httpd_sys_script_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } allow httpd_sys_script_t httpd_sys_script_t : udp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ; allow httpd_suexec_t client_packet_type : packet { send recv } ; allow httpd_sys_script_t node_t : tcp_socket node_bind ; allow httpd_sys_script_t node_t : udp_socket node_bind ; allow httpd_sys_script_t node_t : node { tcp_recv tcp_send udp_recv udp_send recvfrom sendto } allow httpd_t port_type : tcp_socket name_connect ; allow httpd_suexec_t node_t : node { tcp_recv tcp_send udp_recv udp_send recvfrom sendto } ; allow httpd_sys_script_t netif_t : netif { tcp_recv tcp_send udp_recv udp_send ingress egress } ; allow httpd_suexec_t httpd_suexec_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ; allow httpd_suexec_t httpd_suexec_t : udp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ; allow httpd_suexec_t netif_t : netif { tcp_recv tcp_send udp_recv udp_send ingress egress } ; allow httpd_sys_script_t port_type : tcp_socket { recv_msg send_msg name_connect } ; allow httpd_sys_script_t port_type : udp_socket { recv_msg send_msg } ; EOF cat >> mytest.fc<<EOF /opt/custom/apache(/.*)? gen_context(system_u:object_r:httpd_exec_t,s0) /var/custom/webcontent(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) EOF make -f /usr/share/selinux/devel/Makefile mytest.pp sudo semodule -i mytest.pp restorecon -R -v -F /opt/custom/{apache,webcontent} -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux