multiple output file context types?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have an application that has two different type out output files that are normally written to /var/log.

        1: diagnostic log - should be readable by "normal" system administrators.

        2: security data log - should only be readable by security officers.

 

Is there a different way to declare two different file context types for output files?

 

 

My current attempts do not work:

For the diagnostic log, I have created a log file type myapp_log_t, and created a file context:

/var/log/myapp\.log -- gen_context(system_u:object_r:myapp_log_t,s0)

 

Using the following policy statements, myapp creates a log file, and SELinux takes care of assigning the file context automatically:

        logging_log_file(myapp_log_t)

        logging_log_filetrans(myapp_t, myapp_log_t, { file dir } )

        manage_dirs_pattern(myapp_t, myapp_log_t,  myapp_log_t)

        manage_files_pattern(myapp_t, myapp_log_t,  myapp_log_t)

 

I wish to have a different type for the data log, however when I try to use logging_log_filetrans for a second log type, semodule complains:

 

[root@host1 log]# semodule -i /home/brian/src/myapp/myapp.pp

libsepol.expand_terule_helper: conflicting TE rule for (myapp_t, var_log_t:dir):  old was myapp_log_t, new is myappsecurity_log_t

libsepol.expand_module: Error during expand

libsemanage.semanage_expand_sandbox: Expand module failed

semodule:  Failed!

[root@host1 log]#

 

 

 

 

Thanks,

Brian

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux