multiple output file context types?
Daniel J Walsh
dwalsh at redhat.com
Mon May 11 17:54:51 UTC 2009
On 05/11/2009 01:04 PM, Stephen Smalley wrote:
> On Mon, 2009-05-11 at 09:54 -0700, Brian Ginn wrote:
>> I have an application that has two different type out output files
>> that are normally written to /var/log.
>>
>> 1: diagnostic log - should be readable by "normal" system
>> administrators.
>>
>> 2: security data log - should only be readable by security
>> officers.
>>
>>
>>
>> Is there a different way to declare two different file context types
>> for output files?
>
> The kernel policy can only distinguish based on the creating process
> domain, the parent directory type, and the file class. You can
> therefore only define one default type assignment in the policy for any
> such triple. To support multiple output types, you have two choices:
> 1) Move one of the log files to a different subdirectory,
> e.g. /var/log/security, and assign that subdirectory a different type,
> or
> 2) Modify your application to call setfscreatecon(secctx) with the
> desired security context prior to creating the security data log file,
> then call setfscreatecon(NULL) afterward to restore the default labeling
> behavior on any subsequent file creations.
>
Or precreate the files in the init script and run restorecon on them,
Then allow your confined domain to append output to the files.
More information about the fedora-selinux-list
mailing list