FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-19-2008, 05:09 PM
David Carter
 
Default Advice needed designing packages for selinux

Hey folks!

Here's some architectural background on my application. I have two
pieces: an agent and a library that links with an application. The
library communicates with the agent via semaphores, message queues,
and shared memory. The files corresponding to these IPC mechanisms had
been stored in /tmp. But here's the rub. The agent could run in root
space as a system wide agent, but also in user space as a development
and debugging tool. To facilitate this, each instance creates it's own
subdirectory to hold the IPC files. Since they'll need to clean this
up when they're done, I'd set the sticky bit on the directory.


So know, if I move the system queues to /var/lib as I should, I have
to have the sticky but set there, which is bad. Alternatively, if I
leave it in the /tmp directory, I don't see how I can set the ACL's
that selinux requires. The third option is to give any applications
requiring access permissions so broad as to defeat the purpose of
selinux. And the fourth is to disable selinux entirely, which is also
not good.


Advice?

TIA,
Dave

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-22-2008, 03:19 PM
Daniel J Walsh
 
Default Advice needed designing packages for selinux

David Carter wrote:
> Hey folks!
>
> Here's some architectural background on my application. I have two
> pieces: an agent and a library that links with an application. The
> library communicates with the agent via semaphores, message queues, and
> shared memory. The files corresponding to these IPC mechanisms had been
> stored in /tmp. But here's the rub. The agent could run in root space as
> a system wide agent, but also in user space as a development and
> debugging tool. To facilitate this, each instance creates it's own
> subdirectory to hold the IPC files. Since they'll need to clean this up
> when they're done, I'd set the sticky bit on the directory.
>
> So know, if I move the system queues to /var/lib as I should, I have to
> have the sticky but set there, which is bad. Alternatively, if I leave
> it in the /tmp directory, I don't see how I can set the ACL's that
> selinux requires. The third option is to give any applications requiring
> access permissions so broad as to defeat the purpose of selinux. And the
> fourth is to disable selinux entirely, which is also not good.
>
> Advice?
>
Why not use communication via /var/run? Which is cleaned up
automatically? Also have it attempt /var/run when you start and fall
back to /tmp so if you are working in development, you would use /tmp
and in productions /var/run. You should also potentially look at the
abstract namespace for socket communication (X Windows now uses this).
> TIA,
> Dave
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:03 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org