using tmpfs for /tmp and selinux
Stephen Smalley
sds at tycho.nsa.gov
Wed Mar 23 13:06:57 UTC 2005
On Wed, 2005-03-23 at 13:11 +0100, dragoran wrote:
> Is it possible to use tmpfs for /tmp with selinux (targeted) ...
> I tryed but got many avcs (tmp_t becomes tmpfs_t) for all files in /tmp
You could try mounting with the context= option, e.g.
context=system_u:object_r:tmp_t. This will force the superblock and
root directory to tmp_t, and then files created in it should pick up the
usual type transitions by default (e.g. mysqld_tmp_t). However, at
present, using this option disables the use of getxattr/setxattr and
setfscreatecon on the filesystem, so note that ls -Z and similar
programs will no longer be able to get or set contexts on /tmp.
Note to James: Possibly we should reconsider the disabling of
getxattr/setxattr and setfscreatecon for mountpoint labeling for pseudo
filesystems like tmpfs, since we are just dealing with an incore inode
SID and there is no persistent storage, so there is no inconsistency.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list