I wrote a service/single binary app that I’m trying to run on Fedora 24, it runs using systemd, the binary is deployed to /srv/bot
this service/app I wrote needs to create/open/read and rename files in this directory.
I first started creating a new policy based on SELinux: allow a process to create any file in a certain directory
but when my app needed to rename, the output had a warning:
#!!!! WARNING: 'var_t' is a base type. allow init_t var_t:file rename;
I googled around and I found out I should use a more specific SELinux label than a base type, but all the examples online show you existing labels from httpd/nginx/etc.
Is there a way I can create a custom label just for my own app?
My idea is to create something like myapp_var_t, use
semanage fcontext -a -t my_app_var_t '/srv/bot(/.*)?' restorecon -R -v /srv/bot
and a custom .pp file that will use this custom type
If there is a better way to solve it, that works too.
Thanks
Update
After more searching around I think the proper term for what I want to do is to create new types which led me to
https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3036916
which basically says, run
sepolgen /path/to/binary
and I was able to get a template that I can then compile into a pp file and load, still get some errors but looks like I’m closer to what I want to do.
If I get it to work, I’ll update this post
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
With the starting point of running
sepolgen /path/to/binary
which gives you:
app.fc app.sh app.if app.spec app.te
To create a new SELinux file context to apply to a parent directory that holds files your program/daemon will modify, you edit the app.te file and add :
type app_var_t; files_type(app_var_t)
The first line declares the new type and the second line calls a macro that does some magic and makes it a file type (turns out you cannot use a process context line app_exec_t on a file or directory), see “SELinux Types Revisited” for more info on the different types
Once you have the type declared, you need to tell SELinux that your app is allowed to use it, in my case I added
allow app_t app_var_t:dir { add_name remove_name write search};
allow app_t app_var_t:file { unlink create open rename write read };
Those two lines basically say, allow the app_t type which is the domain of my app, to write/search/etc directories with the context app_var_t and allow it to create/open/delete/etc files with the context app_var_t
The last part of the puzzle is to somehow tell SELinux which folder(s) and file(s) should get each type, you do this by editing the app.fc file (fc => file context)
this file only has two lines in my case:
/srv/bot/app -- gen_context(system_u:object_r:app_exec_t,s0) /srv/bot(/.*)? gen_context(system_u:object_r:app_var_t,s0)
the first line points straight to the binary as deployed on my servers, so this one gets the app_exec_t context.
The second line means:
Apply app_var_t to the directory /srv/bot and also to all files inside the dir /srv/bot
Note how the first line has -- between the path and the call to gen_context. -- means, apply this to only files. on the second case we don’t have anything (just spaces), which means, apply to all matching directories and files, which is what I wanted, another option is to have -d to apply just directories.
I now have a working policy, I can deploy my app with a custom policy and it all works. (my policy has a lot more entries in the .te file but it is outside the scope of this question.)
Extra reading material that helped me get to this solution:
Making things easier with sepolgen
Think before you just blindly audit2allow -M mydomain
SELinux FOR RED HAT DEVELOPERS (Long PDF)
An SElinux module (1): types and rules
Sample policy (specially the postgresql)
Understanding the File Contexts Files
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0