SElinux integrety check

How can I check (with SELinux) access to the file by process name?

For example, we have 2 processes:

• /usr/bin/foo1
• /usr/bin/foo2

They are run under account with username userA and try to open for modify file:

• /home/userA/test.txt

I want that if foo1 tries开发者_JAVA百科 to open file - it's ok. But if foo2 tries to open this file - I have message about this in /var/log.

Problem is that both processes have the same user ID. And I can't use RBAC by username.

---

You'd have to give both foo1 and foo2 custom domain types to run in using SELinux policy. This would entail:

1. Create types for the binaries (e.g. foo1_exec_t and foo2_exec_t)
2. Create types for the processes (e.g. foo1_t and foo2_t)
3. Specify that when the user type (likely unconfined_t) executes foo1_exec_t, it transitions to foo1_t and similar for foo2

Then you need to create a custom type for test.txt (e.g. test_t)

Once you've done this, you can write whatever policy you like for these (including an auditallow rule for the particular access you're looking for). The catch is that by creating custom types, you'll have to specify all access for them.

If you're not looking to do any access control, but rather just log when something happens, the audit subsystem is a better choice, though I don't know that you can be this granular with it.