Make a file in /usr/local/bin/validate that contains the following (remember to chmod +x it or semodule will fail): To use the script below you need to have setools-console installed. The purpose of this validator is to never allow a policy update that allows user_t to access shadow_t. In this case we'll use sesearch to search for a rule between user_t and shadow_t. This page will show you how to make a basic validator and tell libsemanage to run it before allowing any policy updates.įirst we'll write the validator. It has many features but one that is rarely mentioned is the policy validation hook. Libsemanage is the library responsible for building a kernel policy from policy modules.