Correct way to create /tmp files that can be used by other domains.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If my daemon creates a file in /tmp which is labelled with my domains tmp file context as follows:

-rw-------.       1001      1000 unconfined_u:object_r:qasd_tmp_t:s0 /tmp/krb5cc_1001

other daemons such as sshd (which use kerberos) will need access to this file as well.  Is there a way to grant that access from my policy without having to specify an exact allow rule for sshd?

I am seeing audit messages about this from audit2why.

type=AVC msg=audit(1391534896.381:2642): avc:  denied  { getattr } for  pid=2070 comm="sshd" path="/tmp/krb5cc_1001" dev=dm-0 ino=281219 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:qasd_tmp_t:s0 tclass=file

audit2allow gives me the following allow rule:

allow sshd_t qasd_tmp_t:file { getattr unlink };

But I don't want to create specific allow rules like this if I can help it.



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux