SELinux: How to create a new file type

centos7 selinux rhel7

Solution 1:

I found out that the problem I was having is because I didn't compile the module correctly. As a result the macros probably didn't "take" and the checkmodule policy compiler error messages didn't really help to understand that.

To get all these macros to expand properly, one needs to compile the policy using the Makefiles provided by SELinux - with a TE file called myservice_spool.te, one should execute:

make -f /usr/share/selinux/devel/Makefile myservice_spool.pp

This will create a temporary TE file with all macros expanded, then call the relevant compilers to create myservice_spool.pp.

The Gentoo documentation linked in the OP has slightly more information, though the file paths are not correct for CentOS systems.

If you review the generated TE template in the tmp directory (that the SELinux makefile helpfully leaves in place), you can see that "attributes" is indeed the correct way to handle specifying a type as a file, butwe must require them to get them to work - the way SELinux TE files appear to work is that you don't get any symbols magically imported into the configuration file - you have to require anything you use.

So the correct non-macroified way to set up a new file type is something like this (copied from the TE generated template):

type myservice_spool_t;
require {
    attribute spoolfile;
    attribute file_type, non_security_file_type, non_auth_file_type;
} # end require
typeattribute myservice_spool_t file_type, non_security_file_type, non_auth_file_type, spoolfile;

Solution 2:

You need to declare it a member of the files attribute such that it has relabel privileges.

Try

type myservice_spool_t;
files_type(myservice_spool_t)

Or better in your case..

type myservice_spool_t;
files_spool_file(myservice_spool_t)

Given you are actually making a spool file. This gives other macros the ability to work with that spool if they have 'manage spool' privileges in their policy.

Heres a complete policy module example.

policy_module(`myservice', 1.0.0)

type myservice_spool_t;
files_spool_file(myservice_spool_t)

This would work, but only declare the type and thats that. You'd need some allow rules to make it do something worthwhile.

Related

Add GSSAPI to OpenLdap in supportedSASLMechanisms
Is there a way to change the java JRE a linux Jenkins server uses?
How can I determine what permissions my user is missing for receiving a ZFS dataset?
Azure firewall vs Azure network security group
gMSA account authentication failure during password rotation
Is Branch Cache worth considering as a replacement for DFS-R
Open Source / free choices for SFlow monitoring?
Setting up a forwarding-only email server
Web application to manage software distribution
Connection error to mysql database
LDAP authentication: Windows Server2k3 vs. 2k8
Mixing Subversion "SVNParentPath" and per-repository configurations?