Limiting access to a file to only one or two known processes through SELinux

[MihaMarkic]

Hi,

Running Fedora workstation and targeted SELinux policy.
I have a file and I want to limit access to it only to two processes, let's say first one is app. Others should be denied access.

I’ve tried sepolice generate --application /PATH/TO/APP then added in app.te this file type:

type app_var_t;
files_type(app_var_t);
allow app_t app_var_t:file { unlink create open read write rename };

and run sudo ./app.sh to apply generated policy. Then I applied app_var_t type to file in question.

But I see two problems here:

1. app_var_t is readable from unconfined processes. (accordingly because I’ve used files_type function)
2. while app_t domain is applied to the application that should be able to read the file, when app started its process shows unconfined_t domain.

Any idea how can I create proper policy?

TIA