On RHEL/CentOS 7 I'm trying to create a new SELinux security context for files to support a new service that I'm writing.
I've created a Type Enforcement file for my new service, but I can't manage to create a new type that the system will recognize as a file type.
I'm working based on this CentOS 5 "Building a local policy module" document, which instructs me to create a TE file then use checkmodule
and semodule_package
to compile it.
If I just write in my TE file:
type myservice_spool_t;
then the TE compiles fine, but when I try to semanage fcontext
I get this:
$ sudo semanage fcontext -a -t myservice_spool_t "/var/spool/myservice(/.*)?"
ValueError: Type myservice_spool_t is invalid, must be a file or device type
I've read various tutorials but failed to find an example that works - everything I look at is either:
- outdated - e.g. This RHEL 4 SELinux documentation page says that one should use
type myservice_spool_t, file_type;
butcheckmodule
says:ERROR 'attribute file_type is not declared'
- incomplete - e.g. this answer will have me use the macro
file_type()
butcheckmodule
says:ERROR 'This block has no require section.' at token 'files_type'
- or completely missing - e.g. the new SELinux guide for RHEL 7 does not have any information on how to create new policies, except using
audit2allow
.
The SELinux project website is completely useless as I failed to locate a single working example
I'd appreciate a simple concise example of how to write a TE file that introduces a new type that semanage fcontext
will approve of.
[Update]
I found this Gentoo documentation for creating policy files, which some useful explanations and examples.