On Mon, 2007-11-05 at 14:33 -0800, Clarkson, Mike R (US SSA) wrote:
> Is there an interface that gives permissions to create directories in
> the /tmp dir (allow ... tmp_t:dir create)?
>
> I couldn't find one. I found files_manage_generic_tmp_files in files.if,
> but this doesn't do it. It allows creating files but not directories of
> type tmp_t. I ended up adding an interface to files.if myself, but I
> figure that has to have come up already.
If its a confined process, this doesn't actually come up normally.
Since /tmp is shared all over the place, we usually add a type for the
domain's tmp file. Then we use file_tmp_filetrans() so when the domain
creates files in /tmp, it gets the right type. So this results in
something like this:
manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
