/tmp on tmpfs with selinux enabled
Daniel J Walsh
dwalsh at redhat.com
Fri May 6 15:47:24 UTC 2005
Aleksandar Milivojevic wrote:
> I'm still discovering SELinux stuff, and I ran into small problem with
> default targeted policy and /tmp directory. So I tought about saving
> a bit of my time, and wasting a bit of everybody else's time ;-). Hm,
> OK, maybe I shouldn't be making jokes like that... Anyhow:
>
> Basically, I have /tmp mounted on small tmpfs file system (to keep it
> separate from root partition, without need for allocating dedicated
> disc space for it). Now, root directory of anything mounted as tmpfs
> will be labeled as tmpfs_t by SELinux (for example, see output of ls
> -Zd /dev/shm, which is by default mounted as tmpfs on Fedora and RHEL).
>
> So far so good. What is not good is that default targeted policy
> mostly has rules for tmp_t, not tmpfs_t, when dealing with access to
> /tmp. So OK, I could grep for all rules where tmp_t is mentioned, and
> make another set of identical rules for tmpfs_t.
>
> Instead of doing that, I attempted using chcon to set tmp_t context to
> /tmp just after it is mounted. However this doesn't seem to help.
> The applications that ran fine when /tmp is part of "normal" disc
> based ext3 file system, are blocked by SELinux when /tmp is on tmpfs.
> By "applications", I mainly mean postgresql database. I know about
> that database initialization problem with older targeted policy, and
> this is not the case here (database is already initialized).
>
> The log suggests that postgresql was prevented from creating a file
> inside /tmp, since rule says it is allowed to do that on tmp_t, and
> /tmp was tmpfs_t. Which is strange. I did chcon -t tmp_t /tmp, and
> ls -Zd /tmp clearly shows it labeled as tmp_t. I tought anything
> created inside /tmp would inherit its context?
>
> I looked into manual page for mount, and there doesn't seem to be an
> option (at least not ducumented in the manual page, maybe somewhere
> else?) to set default context for a tmpfs file system to something
> other than tmpfs_t.
>
> I've also noticed that in
> /etc/selinux/targeted/contexts/files/file_contexts, there is this set
> of lines for /tmp (and similar for /var/tmp, and /usr/tmp):
>
> /tmp -d system_u:object_r:tmp_t
> /tmp/.* <<none>>
>
> I guess information in this file is used for restorecon only? Or is
> it also used when initially creating new files? I believe its the
> former, and that files inherit parent directory's context. But, if
> I'm wrong, this too might have something to do with my problems...
>
> Is my only option creating dupliacte rules in targeted policy for
> tmpfs_t (that would mirror rules that reference tmp_t)? Or is there a
> way to make tmpfs based /tmp behave like it was part of "normal" ext3
> file system?
>
THis was previously discussed in the fedora-selinux list. Look for a
subject of "using tmpfs for /tmp and selinux"
If you add the context mount to your fstab entry, it should work
context=system_u:object_r:tmp_t
Something like
none /tmp tmpfs defaults,context=system_u:object_r:tmp_t 0 0
--
More information about the fedora-list
mailing list