David Carter wrote: > Hey folks! > > Here's some architectural background on my application. I have two > pieces: an agent and a library that links with an application. The > library communicates with the agent via semaphores, message queues, and > shared memory. The files corresponding to these IPC mechanisms had been > stored in /tmp. But here's the rub. The agent could run in root space as > a system wide agent, but also in user space as a development and > debugging tool. To facilitate this, each instance creates it's own > subdirectory to hold the IPC files. Since they'll need to clean this up > when they're done, I'd set the sticky bit on the directory. > > So know, if I move the system queues to /var/lib as I should, I have to > have the sticky but set there, which is bad. Alternatively, if I leave > it in the /tmp directory, I don't see how I can set the ACL's that > selinux requires. The third option is to give any applications requiring > access permissions so broad as to defeat the purpose of selinux. And the > fourth is to disable selinux entirely, which is also not good. > > Advice? > Why not use communication via /var/run? Which is cleaned up automatically? Also have it attempt /var/run when you start and fall back to /tmp so if you are working in development, you would use /tmp and in productions /var/run. You should also potentially look at the abstract namespace for socket communication (X Windows now uses this). > TIA, > Dave > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
