Advice needed designing packages for selinux

Hey folks!

Here's some architectural background on my application. I have two  
pieces: an agent and a library that links with an application. The  
library communicates with the agent via semaphores, message queues,  
and shared memory. The files corresponding to these IPC mechanisms had  
been stored in /tmp. But here's the rub. The agent could run in root  
space as a system wide agent, but also in user space as a development  
and debugging tool. To facilitate this, each instance creates it's own  
subdirectory to hold the IPC files. Since they'll need to clean this  
up when they're done, I'd set the sticky bit on the directory.

So know, if I move the system queues to /var/lib as I should, I have  
to have the sticky but set there, which is bad. Alternatively, if I  
leave it in the /tmp directory, I don't see how I can set the ACL's  
that selinux requires. The third option is to give any applications  
requiring access permissions so broad as to defeat the purpose of  
selinux. And the fourth is to disable selinux entirely, which is also  
not good.

Advice?

TIA,
Dave

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

David Carter wrote: Why not use communication via /var/run?  Which is cleaned up
automatically?  Also have it attempt /var/run when you start and fall
back to /tmp so if you are working in development, you would use /tmp
and in productions /var/run.  You should also potentially look at the
abstract namespace for socket communication (X Windows now uses this).
> TIA,
> Dave
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list