using tmpfs for /tmp and selinux

[dragoran]

Stephen Smalley wrote:

>On Wed, 2005-03-23 at 13:11 +0100, dragoran wrote:
>  
>
>>Is it possible to use tmpfs for /tmp with selinux (targeted) ...
>>I tryed but got many avcs (tmp_t becomes tmpfs_t) for all files in /tmp
>>    
>>
>
>You could try mounting with the context= option, e.g.
>context=system_u:object_r:tmp_t.  This will force the superblock and
>root directory to tmp_t, and then files created in it should pick up the
>usual type transitions by default (e.g. mysqld_tmp_t).  However, at
>present, using this option disables the use of getxattr/setxattr and
>setfscreatecon on the filesystem, so note that ls -Z and similar
>programs will no longer be able to get or set contexts on /tmp.
>
>Note to James:  Possibly we should reconsider the disabling of
>getxattr/setxattr and setfscreatecon for mountpoint labeling for pseudo
>filesystems like tmpfs, since we are just dealing with an incore inode
>SID and there is no persistent storage, so there is no inconsistency. 
>
>  
>
doesn't seem to work:
Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
name=.ICE-unix scontext=user_u:object_r:tmp_t 
tcontext=system_u:object_r:tmp_t tclass=filesystem
Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
name=.X11-unix scontext=user_u:object_r:tmp_t 
tcontext=system_u:object_r:tmp_t tclass=filesystem
Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
name=.X11-unix scontext=user_u:object_r:tmp_t 
tcontext=system_u:object_r:tmp_t tclass=filesystem
Mar 24 08:35:31 chello062178124144 kernel: audit(1111649731.447:0): 
avc:  denied  { associate } for  pid=5340 exe=/usr/X11R6/bin/Xorg 
name=.tX0-lock scontext=user_u:object_r:tmp_t 
tcontext=system_u:object_r:tmp_t tclass=filesystem