SELinux: How to create a new file type

Question

On RHEL/CentOS 7 I'm trying to create a new SELinux security context for files to support a new service that I'm writing.

I've created a Type Enforcement file for my new service, but I can't manage to create a new type that the system will recognize as a file type.

I'm working based on this CentOS 5 "Building a local policy module" document, which instructs me to create a TE file then use checkmodule and semodule_package to compile it.

If I just write in my TE file:

type myservice_spool_t;

then the TE compiles fine, but when I try to semanage fcontext I get this:

$ sudo semanage fcontext -a -t myservice_spool_t "/var/spool/myservice(/.*)?" 
ValueError: Type myservice_spool_t is invalid, must be a file or device type

I've read various tutorials but failed to find an example that works - everything I look at is either:

• outdated - e.g. This RHEL 4 SELinux documentation page says that one should use type myservice_spool_t, file_type; but checkmodule says: ERROR 'attribute file_type is not declared'
• incomplete - e.g. this answer will have me use the macro file_type() but checkmodule says: ERROR 'This block has no require section.' at token 'files_type'
• or completely missing - e.g. the new SELinux guide for RHEL 7 does not have any information on how to create new policies, except using audit2allow.

The SELinux project website is completely useless as I failed to locate a single working example

I'd appreciate a simple concise example of how to write a TE file that introduces a new type that semanage fcontext will approve of.

[Update]

I found this Gentoo documentation for creating policy files, which some useful explanations and examples.

Answer 1

I found out that the problem I was having is because I didn't compile the module correctly. As a result the macros probably didn't "take" and the checkmodule policy compiler error messages didn't really help to understand that.

To get all these macros to expand properly, one needs to compile the policy using the Makefiles provided by SELinux - with a TE file called myservice_spool.te, one should execute:

make -f /usr/share/selinux/devel/Makefile myservice_spool.pp

This will create a temporary TE file with all macros expanded, then call the relevant compilers to create myservice_spool.pp.

The Gentoo documentation linked in the OP has slightly more information, though the file paths are not correct for CentOS systems.

If you review the generated TE template in the tmp directory (that the SELinux makefile helpfully leaves in place), you can see that "attributes" is indeed the correct way to handle specifying a type as a file, butwe must require them to get them to work - the way SELinux TE files appear to work is that you don't get any symbols magically imported into the configuration file - you have to require anything you use.

So the correct non-macroified way to set up a new file type is something like this (copied from the TE generated template):

type myservice_spool_t;
require {
    attribute spoolfile;
    attribute file_type, non_security_file_type, non_auth_file_type;
} # end require
typeattribute myservice_spool_t file_type, non_security_file_type, non_auth_file_type, spoolfile;

Answer 2

You need to declare it a member of the files attribute such that it has relabel privileges.

Try

type myservice_spool_t;
files_type(myservice_spool_t)

Or better in your case..

type myservice_spool_t;
files_spool_file(myservice_spool_t)

Given you are actually making a spool file. This gives other macros the ability to work with that spool if they have 'manage spool' privileges in their policy.

Heres a complete policy module example.

policy_module(`myservice', 1.0.0)

type myservice_spool_t;
files_spool_file(myservice_spool_t)

This would work, but only declare the type and thats that. You'd need some allow rules to make it do something worthwhile.

Answer 3

https://selinuxproject.org/page/TypeStatements has the correct answer:

# Using the typeattribute statement to associate a type of
# setroubleshootd_exec_t to two attributes file_type and 
# non_security_file_type. 

# These are the previously declared attributes:
attribute file_type;
attribute non_security_file_type;

# The previously declared type:
type setroubleshootd_exec_t;

# These are the associations using the typeattribute statement:
typeattribute setroubleshootd_exec_t file_type, non_security_file_type;

But, yes, your question raises an interesting point.

SELinux natively knows three languages, and there is one third party abstraction language called "Reference policy".

1. Monolitic policy language (checkpolicy is used to compile policy.conf -- man checkpolicy)
2. Module policy language (checkmodule is used to compile $MODULE.{te.fc} -- man checkmodule)
3. Common Intermediate Language (secilc is used to compile $MODULE.cil -- man secilc)

Each of the above native languages has its own specific properties, and it can be confusing.

Reference policy is basically a wrapper around "Module policy language" with the goal to make policy maintenance easier.