On 05/11/2009 01:04 PM, Stephen Smalley wrote:
On Mon, 2009-05-11 at 09:54 -0700, Brian Ginn wrote:
I have an application that has two different type out output files
that are normally written to /var/log.
1: diagnostic log - should be readable by "normal" system
administrators.
2: security data log - should only be readable by security
officers.
Is there a different way to declare two different file context types
for output files?
The kernel policy can only distinguish based on the creating process
domain, the parent directory type, and the file class. You can
therefore only define one default type assignment in the policy for any
such triple. To support multiple output types, you have two choices:
1) Move one of the log files to a different subdirectory,
e.g. /var/log/security, and assign that subdirectory a different type,
or
2) Modify your application to call setfscreatecon(secctx) with the
desired security context prior to creating the security data log file,
then call setfscreatecon(NULL) afterward to restore the default labeling
behavior on any subsequent file creations.
Or precreate the files in the init script and run restorecon on them,
Then allow your confined domain to append output to the files.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list