Correct way to create /tmp files that can be used by other domains.
Jayson Hurst
swazup at hotmail.com
Wed Feb 5 01:03:02 UTC 2014
If my daemon creates a file in /tmp which is labelled with my domains tmp file context as follows:
-rw-------. 1001 1000 unconfined_u:object_r:qasd_tmp_t:s0 /tmp/krb5cc_1001
other daemons such as sshd (which use kerberos) will need access to this file as well. Is there a way to grant that access from my policy without having to specify an exact allow rule for sshd?
I am seeing audit messages about this from audit2why.
type=AVC msg=audit(1391534896.381:2642): avc: denied { getattr } for pid=2070 comm="sshd" path="/tmp/krb5cc_1001" dev=dm-0 ino=281219 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:qasd_tmp_t:s0 tclass=file
audit2allow gives me the following allow rule:
allow sshd_t qasd_tmp_t:file { getattr unlink };
But I don't want to create specific allow rules like this if I can help it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140204/8b1b7c72/attachment.html>
More information about the selinux
mailing list