# Apply SELinux policy to an application Source: [https://docs.qualcomm.com/doc/80-41102-1/topic/Apply-SELinux-policy-to-an-application.html](https://docs.qualcomm.com/doc/80-41102-1/topic/Apply-SELinux-policy-to-an-application.html) TelAF is well integrated with System SELinux and provides interfaces to support TelAF applications and services to create and build SELinux policies. TelAF also provides management for its applications and services SELinux module. When launching an application or service, TelAF will first check the SELinux policy of the applications and then load it to the system if the policy module passes the check. When upgrading or removing the application and service, their corresponding SELinux module will be upgraded or removed also. In TelAF, a unified set of templates are supplied for the application to define its own SELinux policy. ## Create a SELinux policy directory Create the application's policy directory under <source\_root>\telaf\security\selinux\sepolicy\. Note: The yocto build scans the <source\_root>\telaf\security\selinux\sepolicy subdirectories and compiles all SELinux policy modules to the rootfs image. It's recommended to manage all the applications' SELinux policy modules under the existing subfolders. ## Create the application's SELinux policy Create the application's own .te, .fc, .if, Makefile, and Component.cdef files in the directory created in previous instructions, following the templates as shown. The following is an example directory structure of the application SELinux policy: ├── Component.cdef ├── Makefile ├── your_app_name.fc ├── your_app_name.if └── your_app_name.teCopy to clipboard 1. Create the Component.cdef file. externalBuild: { "make -f ${CURDIR}/Makefile -C ${CURDIR}/ clean" "make -f ${CURDIR}/Makefile -C ${CURDIR}/" } bundles: { file: { [r] ${CURDIR}/your_app_name.pp / } }Copy to clipboard 2. Create the Makefile. # Makefile for building SELinux module AWK ?= gawk NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' $(OECORE_TARGET_SYSROOT)/etc/selinux/config)) SHAREDIR := $(OECORE_TARGET_SYSROOT)/usr/share/selinux/mls ifeq ($(MLSENABLED),) MLSENABLED := 1 endif ifeq ($(MLSENABLED),1) NTYPE = mcs endif ifeq ($(NAME),mls) NTYPE = mls endif TYPE ?= $(NTYPE) HEADERDIR := $(SHAREDIR)/include include $(HEADERDIR)/MakefileCopy to clipboard 3. Create the application file context. The application's file context definition, which is defined in .fc, appears similar to the following sample: /legato/systems/current/appsWriteable//lib(/.*)? gen_context(system_u:object_r:telaf_lib_t,s0) /legato/systems/current/appsWriteable//bin/ gen_context(system_u:object_r:telaf__exec_t,s0) /legato/apps/[^/]*/read-only/bin/ gen_context(system_u:object_r:telaf__exec_t,s0)Copy to clipboard 4. Create the application type enforcement. Define the rules in the .te file as follows: policy_module(, 1.0) # The context of the application executable type telaf__exec_t; files_type(telaf__exec_t); # The domain of the application type telaf__t; # The optional data context of the application type telaf__data_t; files_type(telaf__data_t); # The type transition of the application init_telaf_app_domain(telaf__t,telaf__exec_t) # Allow update daemon to install/uninstall the application telaf_admin_manage_all_files_perms(telaf__data_t) telaf_admin_manage_all_files_perms(telaf__exec_t)Copy to clipboard 5. Create the application policy interface. Create the <your\_app\_name>.if file under the same folder. If there is no interface supplied from the policy module, leave it as an empty file. - **[Build the application's SELinux policy](https://docs.qualcomm.com/doc/80-41102-1/topic/Build-the-applications-SELinux-policy.html)** **Parent Topic:** [How to](https://docs.qualcomm.com/doc/80-41102-1/topic/How-to.html) Last Published: May 12, 2026 [Previous Topic How to](https://docs.qualcomm.com/bundle/publicresource/80-41102-1/topics/How-to.md) [Next Topic Build the application's SELinux policy](https://docs.qualcomm.com/bundle/publicresource/80-41102-1/topics/Build-the-applications-SELinux-policy.md)