next up previous contents
Next: 11 Access control to Up: 10 Access control to Previous: 10.2 What is allowtmp?   Contents

10.3 Syntax and meaning

  1. Syntax
    1. allowtmp -dir directory -name label permission;
    2. allowtmp -fs file system name -name label permission; permission is the same as file permission and can be omitted.
  2. Meaning
    1. When domain create file under directory it is labeled as label and have permission to the created file specified by permission. permission can be omitted. When omitted, permission can be given by allow.
    2. This is used to configure allowtmp under files that do not support extended attribute, currently, this can be used only for tmpfs.
    3. About label
      • When label is auto , label is named automatically based on domain and directory. For example, domain is hoge_t, and directory is /var/, label name is hoge_var_t.
      • When label is all or *, it means all files under directory created using allowtmp.
  3. Example
    domain httpd_t	;
    allowtmp -dir /var/run -name auto r,w;
    
    Files created under /var/run by httpd_t is labeled as httpd_var_run_t and httpd_t can r,w,s access to such files.

    domain httpd_t
    allowtmp -dir /var/run -name auto r,w;
    domain named_t
    allowtmp -dir /var/run -name auto r,w;
    domain initrc_t;
    allowtmp -dir /var/run -name all r,w;
    
    Files created under /var/run by httpd_t is labeled as httpd_var_run_t and httpd_t can r,w access to such files(named_t can not access). Files created under /var/run by named_t is labeled as named_var_run_t and named_t can r,w access to such files(httpd_t can not access) initrc_t can r,w access to above files because -name all is specified. -name all is used to administrate files created by allowtmp.


next up previous contents
Next: 11 Access control to Up: 10 Access control to Previous: 10.2 What is allowtmp?   Contents
Yuichi Nakamura 2006-11-13