/tmp on tmpfs with selinux enabled
From: Aleksandar Milivojevic (amilivojevic_at_pbl.ca)
Date: 05/06/05
- Previous message: James Kosin: "[OT FC1] : Updates...."
- Next in thread: Matthew Miller: "Re: /tmp on tmpfs with selinux enabled"
- Reply: Matthew Miller: "Re: /tmp on tmpfs with selinux enabled"
- Reply: Daniel J Walsh: "Re: /tmp on tmpfs with selinux enabled"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 06 May 2005 09:59:47 -0500 To: Fedora <fedora-list@redhat.com>
I'm still discovering SELinux stuff, and I ran into small problem with
default targeted policy and /tmp directory. So I tought about saving a
bit of my time, and wasting a bit of everybody else's time ;-). Hm, OK,
maybe I shouldn't be making jokes like that... Anyhow:
Basically, I have /tmp mounted on small tmpfs file system (to keep it
separate from root partition, without need for allocating dedicated disc
space for it). Now, root directory of anything mounted as tmpfs will be
labeled as tmpfs_t by SELinux (for example, see output of ls -Zd
/dev/shm, which is by default mounted as tmpfs on Fedora and RHEL).
So far so good. What is not good is that default targeted policy mostly
has rules for tmp_t, not tmpfs_t, when dealing with access to /tmp. So
OK, I could grep for all rules where tmp_t is mentioned, and make
another set of identical rules for tmpfs_t.
Instead of doing that, I attempted using chcon to set tmp_t context to
/tmp just after it is mounted. However this doesn't seem to help. The
applications that ran fine when /tmp is part of "normal" disc based ext3
file system, are blocked by SELinux when /tmp is on tmpfs. By
"applications", I mainly mean postgresql database. I know about that
database initialization problem with older targeted policy, and this is
not the case here (database is already initialized).
The log suggests that postgresql was prevented from creating a file
inside /tmp, since rule says it is allowed to do that on tmp_t, and /tmp
was tmpfs_t. Which is strange. I did chcon -t tmp_t /tmp, and ls -Zd
/tmp clearly shows it labeled as tmp_t. I tought anything created
inside /tmp would inherit its context?
I looked into manual page for mount, and there doesn't seem to be an
option (at least not ducumented in the manual page, maybe somewhere
else?) to set default context for a tmpfs file system to something other
than tmpfs_t.
I've also noticed that in
/etc/selinux/targeted/contexts/files/file_contexts, there is this set of
lines for /tmp (and similar for /var/tmp, and /usr/tmp):
/tmp -d system_u:object_r:tmp_t
/tmp/.* <<none>>
I guess information in this file is used for restorecon only? Or is it
also used when initially creating new files? I believe its the former,
and that files inherit parent directory's context. But, if I'm wrong,
this too might have something to do with my problems...
Is my only option creating dupliacte rules in targeted policy for
tmpfs_t (that would mirror rules that reference tmp_t)? Or is there a
way to make tmpfs based /tmp behave like it was part of "normal" ext3
file system?
-- Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: James Kosin: "[OT FC1] : Updates...."
- Next in thread: Matthew Miller: "Re: /tmp on tmpfs with selinux enabled"
- Reply: Matthew Miller: "Re: /tmp on tmpfs with selinux enabled"
- Reply: Daniel J Walsh: "Re: /tmp on tmpfs with selinux enabled"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
