4.2. Policy Macros

Much of the SELinux security policy is written using m4 macros. For example, the can_network macro can be passed a domain as an argument and upon policy compilation the macro will expand to several allow lines that give the specified domain the ability to open ports and connect to remote nodes.

Macros save large amounts of time when writing policy, at the expense of some redundancy within the policy. Macros are kept in the macros subdirectory of the policy source. Policy authors should read and understand these macros, they are a large part of successfully writing new policy and understanding existing policy.