multiple output file context types?

[Brian Ginn]

I have an application that has two different type out output files that are normally written to /var/log.
        1: diagnostic log - should be readable by "normal" system administrators.
        2: security data log - should only be readable by security officers.

Is there a different way to declare two different file context types for output files?


My current attempts do not work:
For the diagnostic log, I have created a log file type myapp_log_t, and created a file context:
/var/log/myapp\.log -- gen_context(system_u:object_r:myapp_log_t,s0)

Using the following policy statements, myapp creates a log file, and SELinux takes care of assigning the file context automatically:
        logging_log_file(myapp_log_t)
        logging_log_filetrans(myapp_t, myapp_log_t, { file dir } )
        manage_dirs_pattern(myapp_t, myapp_log_t,  myapp_log_t)
        manage_files_pattern(myapp_t, myapp_log_t,  myapp_log_t)

I wish to have a different type for the data log, however when I try to use logging_log_filetrans for a second log type, semodule complains:

[root at host1 log]# semodule -i /home/brian/src/myapp/myapp.pp
libsepol.expand_terule_helper: conflicting TE rule for (myapp_t, var_log_t:dir):  old was myapp_log_t, new is myappsecurity_log_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!
[root at host1 log]#




Thanks,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20090511/67c1a792/attachment.html