|
I have an application that has two different type out output
files that are normally written to /var/log. 1: diagnostic log
- should be readable by "normal" system administrators. 2: security data
log - should only be readable by security officers. Is there a different way to declare two different file
context types for output files? My current attempts do not work: For the diagnostic log, I have created a log file type
myapp_log_t, and created a file context: /var/log/myapp\.log --
gen_context(system_u:object_r:myapp_log_t,s0) Using the following policy statements, myapp creates a log
file, and SELinux takes care of assigning the file context automatically:
logging_log_file(myapp_log_t)
logging_log_filetrans(myapp_t, myapp_log_t, { file dir } )
manage_dirs_pattern(myapp_t, myapp_log_t, myapp_log_t)
manage_files_pattern(myapp_t, myapp_log_t, myapp_log_t) I wish to have a different type for the data log, however
when I try to use logging_log_filetrans for a second log type, semodule
complains: [root@host1 log]# semodule -i /home/brian/src/myapp/myapp.pp libsepol.expand_terule_helper: conflicting TE rule for
(myapp_t, var_log_t:dir): old was myapp_log_t, new is myappsecurity_log_t libsepol.expand_module: Error during expand libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [root@host1 log]# Thanks, Brian |
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
