SELinux: How to create a new file type

Solution 1:

I found out that the problem I was having is because I didn't compile the module correctly. As a result the macros probably didn't "take" and the checkmodule policy compiler error messages didn't really help to understand that.

To get all these macros to expand properly, one needs to compile the policy using the Makefiles provided by SELinux - with a TE file called myservice_spool.te, one should execute:

make -f /usr/share/selinux/devel/Makefile myservice_spool.pp

This will create a temporary TE file with all macros expanded, then call the relevant compilers to create myservice_spool.pp.

The Gentoo documentation linked in the OP has slightly more information, though the file paths are not correct for CentOS systems.

If you review the generated TE template in the tmp directory (that the SELinux makefile helpfully leaves in place), you can see that "attributes" is indeed the correct way to handle specifying a type as a file, butwe must require them to get them to work - the way SELinux TE files appear to work is that you don't get any symbols magically imported into the configuration file - you have to require anything you use.

So the correct non-macroified way to set up a new file type is something like this (copied from the TE generated template):

type myservice_spool_t;
require {
    attribute spoolfile;
    attribute file_type, non_security_file_type, non_auth_file_type;
} # end require
typeattribute myservice_spool_t file_type, non_security_file_type, non_auth_file_type, spoolfile;

Solution 2:

You need to declare it a member of the files attribute such that it has relabel privileges.

Try

type myservice_spool_t;
files_type(myservice_spool_t)

Or better in your case..

type myservice_spool_t;
files_spool_file(myservice_spool_t)

Given you are actually making a spool file. This gives other macros the ability to work with that spool if they have 'manage spool' privileges in their policy.

Heres a complete policy module example.

policy_module(`myservice', 1.0.0)

type myservice_spool_t;
files_spool_file(myservice_spool_t)

This would work, but only declare the type and thats that. You'd need some allow rules to make it do something worthwhile.