I want to limit access to a single directory on the hard disk (log files) to few processes (log files for a single process for example). All processes run under the same user, so file system access restrictions are not an option.
What are my options? AppArmor? SELinux?
I don't want to restrict single processes, I want to restrict all processes from accessing a directory except a few select ones. Seems AppArmor can't do that.
The upside -- yes, you can do this with SELinux. The downside -- you have to know SELinux. :)
You can execute these processes in different SELinux domains. E.g. let's call two processes "privapp" and "unprivapp" -- privapp is able to access /var/lib/app/log and unprivapp cannot access /var/lib/app/log, despite running as the same user.
So, you create two domains privapp_t and unprivapp_t and label the executables as privapp_exec_t and unprivapp_exec_t. You then label /var/lib/app/log as var_lib_privapp_rw_t and indicate that only a process running as privapp_t is able to access it.
This is the easy part -- the hard part is expressing the above in the policy language, which is the bit known to drive grown men and women to tears. :)
I don't think you are going to be able to accomplish that with only a single user. The closest thing to what you are talking about that I can think of is the way Android does it, and that is simply that each process runs under it's own user, thus it can only access it's own files and files of those processes that allow it access. Processes themselves aren't strong identities in any system I know of.
I would recommend to look into remote syslog. This way you can be sure that logs cannot be deleted or tampered with.
