Advice needed designing packages for selinux
David Carter wrote:
> Hey folks!
> Here's some architectural background on my application. I have two
> pieces: an agent and a library that links with an application. The
> library communicates with the agent via semaphores, message queues, and
> shared memory. The files corresponding to these IPC mechanisms had been
> stored in /tmp. But here's the rub. The agent could run in root space as
> a system wide agent, but also in user space as a development and
> debugging tool. To facilitate this, each instance creates it's own
> subdirectory to hold the IPC files. Since they'll need to clean this up
> when they're done, I'd set the sticky bit on the directory.
> So know, if I move the system queues to /var/lib as I should, I have to
> have the sticky but set there, which is bad. Alternatively, if I leave
> it in the /tmp directory, I don't see how I can set the ACL's that
> selinux requires. The third option is to give any applications requiring
> access permissions so broad as to defeat the purpose of selinux. And the
> fourth is to disable selinux entirely, which is also not good.
Why not use communication via /var/run? Which is cleaned up
automatically? Also have it attempt /var/run when you start and fall
back to /tmp so if you are working in development, you would use /tmp
and in productions /var/run. You should also potentially look at the
abstract namespace for socket communication (X Windows now uses this).
> fedora-selinux-list mailing list
fedora-selinux-list mailing list