polyinstantiation of the /tmp dir

Tomas Mraz tmraz at redhat.com
Thu May 15 07:41:40 UTC 2008

On Wed, 2008-05-14 at 16:11 -0700, Clarkson, Mike R (US SSA) wrote:
> I'm having a problem setting up polyinstantiation for the /tmp dir. I'm
> using RHEL5.1 and I've set it up to create instance directories under
> the /tmp-inst directory based on level when using newrole. It works, but
> the instance directory has ownership/permissions (dac permissions) set
> so that the user can not write to the polyinstantiated directory
> #ls -l /tmp-inst/
> total 24
> drwxr-xr-x 2 root root 4096 May 14 20:17
> system_u:object_r:tmp_t:s0-s4:c0.c255_clarkson
> drwxr-xr-x 2 root root 4096 May 14 18:40
> system_u:object_r:tmp_t:s4:c0.c255_clarkson
> Either the directories need to be created with the user as the owner
> (clarkson in this case), or the permissions need to be 777.
> I've set this up before on other boxes and had it work. Not sure what
> the difference is now. Any ideas?

Remove the instances and add debug option to the pam_namespace.so. Do
you see anything suspicious in /var/log/secure? Also what ls -ld /tmp
says? The permissions should be copied from the polydir.

Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

More information about the fedora-selinux-list mailing list