SELinux/Tutorials/Working with customizable types

Working with customizable types
In a previous tutorial, we introduced restorecon and noted that it will not reset the context of a file whose context has a customizable type, unless the -F option (force) is given. In this tutorial we will cover the purpose and uses of customizable types.

What are customizable types used for
SELinux customizable types are types which are meant to persist through a standard relabel operation (whether through restorecon or through a complete system relabel operation). Because of this behavior, such contexts are most frequently used on files whose location is not fixed on the system. Because their location is not fixed,  the policy writer cannot use a context mapping definition to manage the file context.

A list of customizable types on an SELinux system can be received by reading the content of the file:

So if you have a script in a home directory (currently labeled user_home_t) and you change the context of this file towards home_bin_t, then a relabel of this file (be it directly or through a recursive relabeling operation against the entire home directory) will not change the context back from home_bin_t to user_home_t.

Marking types as customizable
There is no formal method for marking types as customizable: this is in the hands of the SELinux policy writers. It also doesn't really make sense to mark types that are non-customizable as customizable, as in most cases all you then need to do is to use semanage fcontext to add in another context definition (expression) and be done with it.

However, in the unlikely situation that you really need a type marked as customizable, you can update the before-mentioned file yourself, but be aware that any system update (package updates) will most likely overwrite your changes anyway.

Thus the best way to get a type marked as customizable is to ask the distribution developers for help.

Setting the context
As shown earlier, most customizable types can be set using chcon even for regular users. Because the types will not be changed back after a relabel operation, there is no need to use restorecon. However, it is not because a type is customizable that regular users can change labels towards a customizable type.

Relabel operations remain governed through SELinux policies. For regular users, this means they have the relabelfrom permission from user_home_t and relabelto permission towards some of the customizable types.

For instance, regular users do not have the permission to relabel a file as a svirt_image_t file.

Overriding customizable contexts (hard resets)
When you need to override the customizable contexts, you can use the -F (which stands for force) option with restorecon. This not only resets the context back to what the context definition expressions define, but it also resets the other fields of the context to what they are supposed to be. The purpose of these other fields will be explained in a later tutorial.

It is not recommended to do this against all user home directories on a system where lots of users have access to. Many of these users will have used customizable types to update the contexts of their home files (such as marking files as httpd_user_content_t so that the web server can display the content) and resetting the contexts for all files will make these changes undone.

What you need to remember
What you should remember from this tutorial is that
 * customizable types exist for files and resources that have no fixed location on a file system
 * the list of current customizable types can be found in
 * the context of files with a customizable type context can be reset if you use the force (-F) option during relabel operations