User:SwifT/selinux-tutorials/4

Working with customizable types
When talking about restorecon we already touched the subject of using the -F option (force) and mentioned that this is for customizable types. Hence, this tutorial is to cover some grounds regarding customizable types and why they have been brought to life to begin with.

What are customizable types used for
SELinux customizable types are type contexts (thus suffixed with _t) which can be assigned on files and other resources, and where this context is not reset during a standard relabel operation (either through restorecon or through a complete system relabel operation). Because of this behavior, such contexts are most frequently used on files where the path of the file itself is not really fixed on Linux systems (so the policy writer cannot provide a context definition that matches most users systems).

A list of customizable types on a SELinux system can be received by reading the content of the file:

So if you have a script in a home directory (currently labeled user_home_t) and you change the context of this file towards home_bin_t, then a relabel of this file (be it directly or through a recursive relabeling operation against the entire home directory) will not change the context back from home_bin_t to user_home_t.

Marking types as customizable
There is no formal method for marking types as customizable: this is in the hands of the SELinux policy writers. It also doesn't really make sense to mark types that are non-customizable as customizable, as in most cases all you then need to do is to use semanage fcontext to add in another context definition (expression) and be done with it.

However, in the unlikely situation that you really need a type marked as customizable, you can update the before-mentioned file yourself, but be aware that any system update (package updates) will most likely overwrite your changes anyway.

Thus the best way to get a type marked as customizable is to ask the distribution developers for help.

What you need to remember
What you should remember from this tutorial is that
 * customizable types exist for files and resources that have no fixed location on a file system
 * the list of current customizable types can be found in
 * the context of files with a customizable type context can be reset if you use the force (-F) option during relabel operations