1

I want to restrict write access to certain files so that only specific process types (domains) can modify them. For this, I need to create a custom file label and assign it to those files.

Following this answer, I used:

type <custom_label>;
files_type(<custom_label>);

But files_type() seems to implicitly allow access to all process types. If I skip files_type() and just declare:

type <custom_label>;

then semanage fcontext -a -t <custom_label> "/some/path" fails with:

ValueError: Type <custom_label> is invalid, must be a file or device type

Question: What is the correct way to declare a file label that:

  • Can be assigned to paths via semanage fcontext.
  • Doesn’t allow access to any processes types except those explicitly granted via allow rules?
Improve this question

1 Answer 1

Reset to default
2

The linked answer is right, by doing this you should isolate your files:

cat << EOF >> mylocalpolicy.te
policy_module(mylocalpolicy, 0.0.1)

type test_type_t;
files_type(test_type_t)
EOF
make -f /usr/share/selinux/devel/Makefile
semodule -i mylocalpolicy.pp
semanage fcontext -a -t test_type_t "/some/path"
restorecon -RFv /some/path

files_type is used so you can apply this type to files and folders. That's why when you remove it, you cannot apply this type to your file or folder.

I suspect that either you forgot the restorecon part and your file is not labeled, you can check this with ls -lZ /some/path, or you are trying to access the file with an unconfined process, that can then access all types. If you want to prevent this, you have to configure users so there is no unconfined processes.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.