/tmp on tmpfs with selinux enabled

Daniel J Walsh dwalsh at redhat.com
Fri May 6 15:47:24 UTC 2005 

Aleksandar Milivojevic wrote:

> I'm still discovering SELinux stuff, and I ran into small problem with 
> default targeted policy and /tmp directory.  So I tought about saving 
> a bit of my time, and wasting a bit of everybody else's time ;-).  Hm, 
> OK, maybe I shouldn't be making jokes like that...  Anyhow:
>
> Basically, I have /tmp mounted on small tmpfs file system (to keep it 
> separate from root partition, without need for allocating dedicated 
> disc space for it).  Now, root directory of anything mounted as tmpfs 
> will be labeled as tmpfs_t by SELinux (for example, see output of ls 
> -Zd /dev/shm, which is by default mounted as tmpfs on Fedora and RHEL).
>
> So far so good.  What is not good is that default targeted policy 
> mostly has rules for tmp_t, not tmpfs_t, when dealing with access to 
> /tmp.  So OK, I could grep for all rules where tmp_t is mentioned, and 
> make another set of identical rules for tmpfs_t.
>
> Instead of doing that, I attempted using chcon to set tmp_t context to 
> /tmp just after it is mounted.  However this doesn't seem to help.  
> The applications that ran fine when /tmp is part of "normal" disc 
> based ext3 file system, are blocked by SELinux when /tmp is on tmpfs.  
> By "applications", I mainly mean postgresql database.  I know about 
> that database initialization problem with older targeted policy, and 
> this is not the case here (database is already initialized).
>
> The log suggests that postgresql was prevented from creating a file 
> inside /tmp, since rule says it is allowed to do that on tmp_t, and 
> /tmp was tmpfs_t.  Which is strange.  I did chcon -t tmp_t /tmp, and 
> ls -Zd /tmp clearly shows it labeled as tmp_t.  I tought anything 
> created inside /tmp would inherit its context?
>
> I looked into manual page for mount, and there doesn't seem to be an 
> option (at least not ducumented in the manual page, maybe somewhere 
> else?) to set default context for a tmpfs file system to something 
> other than tmpfs_t.
>
> I've also noticed that in 
> /etc/selinux/targeted/contexts/files/file_contexts, there is this set 
> of lines for /tmp (and similar for /var/tmp, and /usr/tmp):
>
> /tmp       -d   system_u:object_r:tmp_t
> /tmp/.*    <<none>>
>
> I guess information in this file is used for restorecon only?  Or is 
> it also used when initially creating new files?  I believe its the 
> former, and that files inherit parent directory's context.  But, if 
> I'm wrong, this too might have something to do with my problems...
>
> Is my only option creating dupliacte rules in targeted policy for 
> tmpfs_t (that would mirror rules that reference tmp_t)?  Or is there a 
> way to make tmpfs based /tmp behave like it was part of "normal" ext3 
> file system?
>
THis was previously discussed in the fedora-selinux list.  Look for a 
subject of "using tmpfs for /tmp and selinux"

If you add the context mount to your fstab entry, it should work
context=system_u:object_r:tmp_t

Something like

none                    /tmp                    tmpfs   defaults,context=system_u:object_r:tmp_t 0 0



--

More information about the fedora-list mailing list