Re: /tmp on tmpfs with selinux enabled

From: Daniel J Walsh (dwalsh_at_redhat.com)
Date: 05/06/05

  • Next message: Mike Klinke: "Re: warning: /etc/kde/kdm/kdmrc created as /etc/kde/kdm/kdmrc.rpmnew" 
    Date: Fri, 06 May 2005 11:47:24 -0400
To: For users of Fedora Core releases <fedora-list@redhat.com>

    Aleksandar Milivojevic wrote:

    > I'm still discovering SELinux stuff, and I ran into small problem with
    > default targeted policy and /tmp directory. So I tought about saving
    > a bit of my time, and wasting a bit of everybody else's time ;-). Hm,
    > OK, maybe I shouldn't be making jokes like that... Anyhow:
    >
    > Basically, I have /tmp mounted on small tmpfs file system (to keep it
    > separate from root partition, without need for allocating dedicated
    > disc space for it). Now, root directory of anything mounted as tmpfs
    > will be labeled as tmpfs_t by SELinux (for example, see output of ls
    > -Zd /dev/shm, which is by default mounted as tmpfs on Fedora and RHEL).
    >
    > So far so good. What is not good is that default targeted policy
    > mostly has rules for tmp_t, not tmpfs_t, when dealing with access to
    > /tmp. So OK, I could grep for all rules where tmp_t is mentioned, and
    > make another set of identical rules for tmpfs_t.
    >
    > Instead of doing that, I attempted using chcon to set tmp_t context to
    > /tmp just after it is mounted. However this doesn't seem to help.
    > The applications that ran fine when /tmp is part of "normal" disc
    > based ext3 file system, are blocked by SELinux when /tmp is on tmpfs.
    > By "applications", I mainly mean postgresql database. I know about
    > that database initialization problem with older targeted policy, and
    > this is not the case here (database is already initialized).
    >
    > The log suggests that postgresql was prevented from creating a file
    > inside /tmp, since rule says it is allowed to do that on tmp_t, and
    > /tmp was tmpfs_t. Which is strange. I did chcon -t tmp_t /tmp, and
    > ls -Zd /tmp clearly shows it labeled as tmp_t. I tought anything
    > created inside /tmp would inherit its context?
    >
    > I looked into manual page for mount, and there doesn't seem to be an
    > option (at least not ducumented in the manual page, maybe somewhere
    > else?) to set default context for a tmpfs file system to something
    > other than tmpfs_t.
    >
    > I've also noticed that in
    > /etc/selinux/targeted/contexts/files/file_contexts, there is this set
    > of lines for /tmp (and similar for /var/tmp, and /usr/tmp):
    >
    > /tmp -d system_u:object_r:tmp_t
    > /tmp/.* <<none>>
    >
    > I guess information in this file is used for restorecon only? Or is
    > it also used when initially creating new files? I believe its the
    > former, and that files inherit parent directory's context. But, if
    > I'm wrong, this too might have something to do with my problems...
    >
    > Is my only option creating dupliacte rules in targeted policy for
    > tmpfs_t (that would mirror rules that reference tmp_t)? Or is there a
    > way to make tmpfs based /tmp behave like it was part of "normal" ext3
    > file system?
    >
    THis was previously discussed in the fedora-selinux list. Look for a
    subject of "using tmpfs for /tmp and selinux"

    If you add the context mount to your fstab entry, it should work
    context=system_u:object_r:tmp_t

    Something like

    none /tmp tmpfs defaults,context=system_u:object_r:tmp_t 0 0 

    -- 
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Mike Klinke: "Re: warning: /etc/kde/kdm/kdmrc created as /etc/kde/kdm/kdmrc.rpmnew"