fedora-selinux May 2009 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: RE: multiple output file context types?

RE: multiple output file context types?

From: Brian Ginn <BGinn_at_nospam>
Date: Fri May 15 2009 - 01:01:59 GMT
To: "'fedora-selinux-list@redhat.com'" <fedora-selinux-list@redhat.com>


Thanks for the info!

I chose to use setfscreatecon().
I had it working on Monday. It worked through this afternoon, Then all the sudden it stopped working.

Audit2why reported:
type=AVC msg=audit(1242347675.070:837): avc: denied { create } for pid=14914 comm="myapp" name="myapp.seclog" scontext=root:system_r:myapp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:myapp_sec_log_t:s0 tclass=file Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.

Audit2allow shows a line that is already in the myapp.te file: allow myapp_t myapp_sec_log_t:file create;

I finally rebooted - and it works again.

Does SELinux on RHEL5.3 have any known "flakyness" that reboots normally solve?

Thanks,
Brian

-----Original Message-----
From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Monday, May 11, 2009 10:05 AM
To: Brian Ginn
Cc: 'fedora-selinux-list@redhat.com'
Subject: Re: multiple output file context types?

On Mon, 2009-05-11 at 09:54 -0700, Brian Ginn wrote:
> I have an application that has two different type out output files
> that are normally written to /var/log.
>
> 1: diagnostic log - should be readable by "normal" system
> administrators.
>
> 2: security data log - should only be readable by security
> officers.
>
>
>
> Is there a different way to declare two different file context types
> for output files?

The kernel policy can only distinguish based on the creating process domain, the parent directory type, and the file class. You can therefore only define one default type assignment in the policy for any such triple. To support multiple output types, you have two choices: 1) Move one of the log files to a different subdirectory, e.g. /var/log/security, and assign that subdirectory a different type, or
2) Modify your application to call setfscreatecon(secctx) with the desired security context prior to creating the security data log file, then call setfscreatecon(NULL) afterward to restore the default labeling behavior on any subsequent file creations. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list