Hey folks!
Here's some architectural background on my application. I have two
pieces: an agent and a library that links with an application. The
library communicates with the agent via semaphores, message queues,
and shared memory. The files corresponding to these IPC mechanisms had
been stored in /tmp. But here's the rub. The agent could run in root
space as a system wide agent, but also in user space as a development
and debugging tool. To facilitate this, each instance creates it's own
subdirectory to hold the IPC files. Since they'll need to clean this
up when they're done, I'd set the sticky bit on the directory.
So know, if I move the system queues to /var/lib as I should, I have
to have the sticky but set there, which is bad. Alternatively, if I
leave it in the /tmp directory, I don't see how I can set the ACL's
that selinux requires. The third option is to give any applications
requiring access permissions so broad as to defeat the purpose of
selinux. And the fourth is to disable selinux entirely, which is also
not good.
Advice?
TIA,
Dave