Tool helps determine what raw allow rules will be enabled using specific selinux policy m4 macro. Generated output is in CIL representation or in policy source (.te) format.
./macro-expander.sh [ -c | -t [ -M ] ] <macro>
Options:
-c generate CIL output
-t generate standard policy source format (.te) allow rules - this is default
-M generate complete module .te output
./macro-expander.sh "NAME_OF_MACRO(SELINUX_DOMAIN)"
$ git clone https://github.com/wrabcak/macro-expander.git
$ cd macro-expander
$ ./macro-expander.sh "apache_read_log(mysqld_t)"
allow mysqld_t var_t:dir { getattr search open };
allow mysqld_t var_log_t:dir { getattr search open };
allow mysqld_t httpd_log_t:dir { getattr search open read lock ioctl };
allow mysqld_t httpd_log_t:dir { getattr search open };
allow mysqld_t httpd_log_t:file { open { getattr read ioctl lock } };
allow mysqld_t httpd_log_t:dir { getattr search open };
allow mysqld_t httpd_log_t:lnk_file { getattr read };
$ ./macro-expander.sh -c "apache_read_log(mysqld_t)"
(allow mysqld_t httpd_log_t (dir (getattr search open)))
(allow mysqld_t httpd_log_t (dir (ioctl read getattr lock search open)))
(allow mysqld_t httpd_log_t (file (ioctl read getattr lock open)))
(allow mysqld_t httpd_log_t (lnk_file (read getattr)))
(allow mysqld_t var_log_t (dir (getattr search open)))
(allow mysqld_t var_t (dir (getattr search open)))