[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

RE: multiple output file context types?

From: Brian Ginn <BGinn symark com>
To: "'fedora-selinux-list redhat com'" <fedora-selinux-list redhat com>
Subject: RE: multiple output file context types?
Date: Thu, 14 May 2009 18:01:59 -0700

Thanks for the info!

I chose to use setfscreatecon().
I had it working on Monday.  It worked through this afternoon, 
Then all the sudden it stopped working.

Audit2why reported:
type=AVC msg=audit(1242347675.070:837): avc:  denied  { create } for  pid=14914 comm="myapp" name="myapp.seclog" scontext=root:system_r:myapp_t:s0-s0:c0.c1023 tcontext=system_u:object_r:myapp_sec_log_t:s0 tclass=file
        Was caused by:
                Constraint violation.
                Check policy/constraints.
                Typically, you just need to add a type attribute to the domain to satisfy the constraint.

Audit2allow shows a line that is already in the myapp.te file:
allow myapp_t myapp_sec_log_t:file create;

I finally rebooted - and it works again.

Does SELinux on RHEL5.3 have any known "flakyness" that reboots normally solve?

Thanks,
Brian

-----Original Message-----
From: Stephen Smalley [mailto:sds tycho nsa gov] 
Sent: Monday, May 11, 2009 10:05 AM
To: Brian Ginn
Cc: 'fedora-selinux-list redhat com'
Subject: Re: multiple output file context types?

On Mon, 2009-05-11 at 09:54 -0700, Brian Ginn wrote:
> I have an application that has two different type out output files
> that are normally written to /var/log.
> 
>         1: diagnostic log - should be readable by "normal" system
> administrators.
> 
>         2: security data log - should only be readable by security
> officers.
> 
>  
> 
> Is there a different way to declare two different file context types
> for output files?

The kernel policy can only distinguish based on the creating process
domain, the parent directory type, and the file class.  You can
therefore only define one default type assignment in the policy for any
such triple.  To support multiple output types, you have two choices:
1) Move one of the log files to a different subdirectory,
e.g. /var/log/security, and assign that subdirectory a different type,
or
2) Modify your application to call setfscreatecon(secctx) with the
desired security context prior to creating the security data log file,
then call setfscreatecon(NULL) afterward to restore the default labeling
behavior on any subsequent file creations.

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- RE: multiple output file context types?
  - From: Stephen Smalley

References:
- multiple output file context types?
  - From: Brian Ginn
- Re: multiple output file context types?
  - From: Stephen Smalley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]