Enhancing an SELinux policy with file transitions
Up until now, we've only handled the configuration part on file contexts: if we would ask SELinux utilities to relabel files, then the changes we made would come into effect. However, unless you run with the restorecond daemon checking out all possible file modifications (which would really be a resource hog) or run restorecon manually against all files regularly, the newly defined contexts will not be applied to the files.
What we need to do is modify the local SELinux policy so that, upon creation of these files, the Linux kernel automatically assigns the right label to those files. This is handled through file transitions, which is a specific case of a type transition.
In a type transition, we configure a policy so that if a given domain creates a file (or other resource class) inside a directory with a specified label, then the created object should automatically get a specific label. Policy-wise, this is written as follows:
type_transition...
