On Wednesday, February 24, 2016 04:40:13 PM Lev Stipakov wrote: > My audisp plugin has a file-based database in /var/lib/xxx directory. I > noticed that on systems with SELinux enabled plugin cannot read/write > that file. > > According to ps, plugin is run under audisp_t domain: > > -bash-4.1$ ps axZ | grep plugin > unconfined_u:system_r:audisp_t:s0 1845 ? S< 0:00 /usr/sbin/plugin 1 > > Obviously I don't want to disable SELinux. What would be the recommended > way to allow plugin read/write file(s) under /var/run/xxx ?
The plugin should have its own policy. I don't think audisp_t should be broadened to allow things it shouldn't be doing. There are probably several people on this list that can give you advice on creating a policy. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
