how to create a custom SELinux label
With the starting point of running
sepolgen /path/to/binary
which gives you:
app.fc
app.sh
app.if
app.spec
app.te
To create a new SELinux file context
to apply to a parent directory that holds files your program/daemon will modify, you edit the app.te file and add :
type app_var_t;
files_type(app_var_t)
The first line declares the new type and the second line calls a macro that does some magic and makes it a file type (turns out you cannot use a process context line app_exec_t on a file or directory), see "SELinux Types Revisited" for more info on the different types
Once you have the type declared, you need to tell SELinux that your app is allowed to use it, in my case I added
allow app_t app_var_t:dir { add_name remove_name write search};
allow app_t app_var_t:file { unlink create open rename write read };
Those two lines basically say, allow the app_t type which is the domain of my app, to write/search/etc directories with the context app_var_t
and allow it to create/open/delete/etc files with the context app_var_t
The last part of the puzzle is to somehow tell SELinux which folder(s) and file(s) should get each type, you do this by editing the app.fc
file (fc => file context)
this file only has two lines in my case:
/srv/bot/app -- gen_context(system_u:object_r:app_exec_t,s0)
/srv/bot(/.*)? gen_context(system_u:object_r:app_var_t,s0)
the first line points straight to the binary as deployed on my servers, so this one gets the app_exec_t context.
The second line means:
Apply app_var_t to the directory /srv/bot and also to all files inside the dir /srv/bot
Note how the first line has --
between the path and the call to gen_context
. --
means, apply this to only files. on the second case we don't have anything (just spaces), which means, apply to all matching directories and files, which is what I wanted, another option is to have -d
to apply just directories.
I now have a working policy, I can deploy my app with a custom policy and it all works. (my policy has a lot more entries in the .te
file but it is outside the scope of this question.)
Extra reading material that helped me get to this solution:
Making things easier with sepolgen
Think before you just blindly audit2allow -M mydomain
SELinux FOR RED HAT DEVELOPERS (Long PDF)
An SElinux module (1): types and rules
Sample policy (specially the postgresql)
Understanding the File Contexts Files
Related videos on Youtube
Simranjeet Singh
Updated on September 18, 2022Comments
-
Simranjeet Singh almost 2 years
I wrote a service/single binary app that I'm trying to run on Fedora 24, it runs using systemd, the binary is deployed to
/srv/bot
this service/app I wrote needs to create/open/read and rename files in this directory.
I first started creating a new policy based on SELinux: allow a process to create any file in a certain directory
but when my app needed to rename, the output had a warning:
#!!!! WARNING: 'var_t' is a base type. allow init_t var_t:file rename;
I googled around and I found out I should use a more specific SELinux label than a base type, but all the examples online show you existing labels from httpd/nginx/etc.
Is there a way I can create a custom label just for my own app?
My idea is to create something like myapp_var_t, use
semanage fcontext -a -t my_app_var_t '/srv/bot(/.*)?' restorecon -R -v /srv/bot
and a custom
.pp
file that will use this custom typeIf there is a better way to solve it, that works too.
Thanks
Update
After more searching around I think the proper term for what I want to do is to create new
types
which led me to https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3036916which basically says, run
sepolgen /path/to/binary
and I was able to get a template that I can then compile into a pp file and load, still get some errors but looks like I'm closer to what I want to do.
If I get it to work, I'll update this post
-
Jakuje almost 8 yearsOr use CIL
-
jayhendren over 5 years
sepolgen /path/to/binary
spits out a syntax error for me. I'm on RHEL 7.6. I thinksepolgen --application /path/to/binary
is the proper syntax if your goal is to write a policy for a particular application?? -
jayhendren over 5 yearsYour
.te
file also throws a syntax error for me when compiling the module:app.te:5:ERROR 'This block has no require section.' at token 'files_type' on line 5:
. And if I add arequire
section, I get:ERROR 'syntax error' at token 'files_type' on line 13:
-
Simranjeet Singh over 5 yearsSorry, I no longer have access to a Fedora machine to test it, but it could be that since version 24, they changed the syntax.