how to create a custom SELinux label

linux fedora security selinux

9,074

With the starting point of running

sepolgen /path/to/binary

which gives you:

app.fc
app.sh
app.if
app.spec
app.te

To create a new SELinux file context to apply to a parent directory that holds files your program/daemon will modify, you edit the app.te file and add :

type app_var_t;
files_type(app_var_t)

The first line declares the new type and the second line calls a macro that does some magic and makes it a file type (turns out you cannot use a process context line app_exec_t on a file or directory), see "SELinux Types Revisited" for more info on the different types

Once you have the type declared, you need to tell SELinux that your app is allowed to use it, in my case I added

allow app_t app_var_t:dir { add_name remove_name write search};
allow app_t app_var_t:file { unlink create open rename write read };

Those two lines basically say, allow the app_t type which is the domain of my app, to write/search/etc directories with the context app_var_t and allow it to create/open/delete/etc files with the context app_var_t

The last part of the puzzle is to somehow tell SELinux which folder(s) and file(s) should get each type, you do this by editing the app.fc file (fc => file context)

this file only has two lines in my case:

/srv/bot/app        --  gen_context(system_u:object_r:app_exec_t,s0)
/srv/bot(/.*)?          gen_context(system_u:object_r:app_var_t,s0)

the first line points straight to the binary as deployed on my servers, so this one gets the app_exec_t context.

The second line means:

Apply app_var_t to the directory /srv/bot and also to all files inside the dir /srv/bot

Note how the first line has -- between the path and the call to gen_context. -- means, apply this to only files. on the second case we don't have anything (just spaces), which means, apply to all matching directories and files, which is what I wanted, another option is to have -d to apply just directories.

I now have a working policy, I can deploy my app with a custom policy and it all works. (my policy has a lot more entries in the .te file but it is outside the scope of this question.)

Extra reading material that helped me get to this solution:

Making things easier with sepolgen

Think before you just blindly audit2allow -M mydomain

SELinux FOR RED HAT DEVELOPERS (Long PDF)

An SElinux module (1): types and rules

Sample policy (specially the postgresql)

Understanding the File Contexts Files

9,074

Simranjeet Singh

Updated on September 18, 2022

Comments

Simranjeet Singh almost 2 years
I wrote a service/single binary app that I'm trying to run on Fedora 24, it runs using systemd, the binary is deployed to /srv/bot

this service/app I wrote needs to create/open/read and rename files in this directory.

I first started creating a new policy based on SELinux: allow a process to create any file in a certain directory

but when my app needed to rename, the output had a warning:
```
#!!!! WARNING: 'var_t' is a base type.
allow init_t var_t:file rename;
```
I googled around and I found out I should use a more specific SELinux label than a base type, but all the examples online show you existing labels from httpd/nginx/etc.

Is there a way I can create a custom label just for my own app?

My idea is to create something like myapp_var_t, use
```
semanage fcontext -a -t my_app_var_t '/srv/bot(/.*)?'
restorecon -R -v /srv/bot
```
and a custom .pp file that will use this custom type

If there is a better way to solve it, that works too.

Thanks

Update

After more searching around I think the proper term for what I want to do is to create new types which led me to https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3036916

which basically says, run
```
sepolgen /path/to/binary
```
and I was able to get a template that I can then compile into a pp file and load, still get some errors but looks like I'm closer to what I want to do.

If I get it to work, I'll update this post
Jakuje almost 8 years

Or use CIL
jayhendren over 5 years

sepolgen /path/to/binary spits out a syntax error for me. I'm on RHEL 7.6. I think sepolgen --application /path/to/binary is the proper syntax if your goal is to write a policy for a particular application??
jayhendren over 5 years

Your .te file also throws a syntax error for me when compiling the module: app.te:5:ERROR 'This block has no require section.' at token 'files_type' on line 5:. And if I add a require section, I get: ERROR 'syntax error' at token 'files_type' on line 13:
Simranjeet Singh over 5 years

Sorry, I no longer have access to a Fedora machine to test it, but it could be that since version 24, they changed the syntax.