On Mon, 2009-05-11 at 09:54 -0700, Brian Ginn wrote: > I have an application that has two different type out output files > that are normally written to /var/log. > > 1: diagnostic log - should be readable by "normal" system > administrators. > > 2: security data log - should only be readable by security > officers. > > > > Is there a different way to declare two different file context types > for output files? The kernel policy can only distinguish based on the creating process domain, the parent directory type, and the file class. You can therefore only define one default type assignment in the policy for any such triple. To support multiple output types, you have two choices: 1) Move one of the log files to a different subdirectory, e.g. /var/log/security, and assign that subdirectory a different type, or 2) Modify your application to call setfscreatecon(secctx) with the desired security context prior to creating the security data log file, then call setfscreatecon(NULL) afterward to restore the default labeling behavior on any subsequent file creations. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
