problems with tmpfs and relabeling
Bill Nottingham
notting at redhat.com
Tue Apr 18 20:42:45 UTC 2006
Bill Nottingham (notting at redhat.com) said:
> Stephen Smalley (sds at tycho.nsa.gov) said:
> > > However, relabeling the files then fails - for each type that I'm
> > > putting on tmpfs, I need to add:
> > >
> > > allow <type> tmpfs_t:filesystem associate;
> > >
> > > before relabelling works.
> > >
> > > This seems strange - is this something that should be fixed in
> > > the stock policy, or should I just carry this in my own module?
> >
> > One option is to use a fscontext= mount option to change the security
> > context associated with the filesystem/superblock object to match your
> > usage, e.g. making it fs_t like a conventional filesystem rather than
> > tmpfs_t. e.g.
> > mount -o fscontext=system_u:object_r:fs_t:s0 ...
>
> Considering this is scratch space that will be used just like
> the 'stock' filesystem for various things (/var, /etc state
> files, etc.), this seems to be the right solution. I'll try
> this.
So, this doesn't work for me... the initial mount of the tmpfs
fails (with no avc). Subsequent mounts succeed, but, well, at that point
you're screwed.
Bill
More information about the fedora-selinux-list
mailing list