multiple output file context types?
Brian Ginn
BGinn at symark.com
Mon May 11 16:54:46 UTC 2009
I have an application that has two different type out output files that are normally written to /var/log.
1: diagnostic log - should be readable by "normal" system administrators.
2: security data log - should only be readable by security officers.
Is there a different way to declare two different file context types for output files?
My current attempts do not work:
For the diagnostic log, I have created a log file type myapp_log_t, and created a file context:
/var/log/myapp\.log -- gen_context(system_u:object_r:myapp_log_t,s0)
Using the following policy statements, myapp creates a log file, and SELinux takes care of assigning the file context automatically:
logging_log_file(myapp_log_t)
logging_log_filetrans(myapp_t, myapp_log_t, { file dir } )
manage_dirs_pattern(myapp_t, myapp_log_t, myapp_log_t)
manage_files_pattern(myapp_t, myapp_log_t, myapp_log_t)
I wish to have a different type for the data log, however when I try to use logging_log_filetrans for a second log type, semodule complains:
[root at host1 log]# semodule -i /home/brian/src/myapp/myapp.pp
libsepol.expand_terule_helper: conflicting TE rule for (myapp_t, var_log_t:dir): old was myapp_log_t, new is myappsecurity_log_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root at host1 log]#
Thanks,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090511/67c1a792/attachment.htm>
More information about the fedora-selinux-list
mailing list