[OT] tmpfs - was : AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix).

Shintaro Fujiwara shintaro.fujiwara at gmail.com
Sat Aug 15 23:50:21 UTC 2009 

Hello.

> I am on a personal crusade to stop all system services (processes running as UID=0) from using /tmp. /var/tmp

I'm interested in this topic but I don't know how to find processes
running as UID=0 using /tmp or /var/tmp.

Thanks in advance.

2009/8/14 Daniel J Walsh <dwalsh at redhat.com>:
> On 08/14/2009 08:50 AM, Arthur Dent wrote:
>> On Fri, 2009-08-14 at 08:25 -0400, Daniel J Walsh wrote:
>>> On 08/14/2009 12:19 AM, Richard Chapman wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 08/12/2009 07:53 PM, Richard Chapman wrote:
>>
>> [snip]
>>
>>>>>
>>>>> I always use tmpfs for /tmp, so I never end up with garbage on a reboot.
>>>>>
>>>>>
>>>> I like your idea of using tmpfs - but is it ever a problem that tmpfs is
>>>> relatively small and finite? Also - please excuse my ignorance - but how
>>>> do I make tmpfs the tmp folder?
>>>>
>>>> Richard.
>>>>
>>>>
>>> Must have changed between RHEL5 and F11
>>>
>>> Try
>>>
>>> chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix
>>>
>>> Add this line to /etc/fstab
>>>
>>> tmpfs                   /tmp                 tmpfs   rootcontext="system_u:object_r:tmp_t:s0",defaults        0 0
>>>
>>> And reboot.
>>>
>>> I don't tend to store huge abouts of stuff in /tmp.  If I want to store big stuff I can always use /var/tmp
>>
>> Forgive the off-topic response, but I too like the idea of a
>> self-washing /tmp. However I am concerned that I don't really understand
>> how it works. What, for example, would be the effect of doing this on
>> server which has only limited RAM and is only rebooted periodically.
>> Would all the RAM get filled up over time by tmpfs and then everything
>> would have to run in swap?
>>
>> Would I need to reboot regularly just to clean tmpfs?
>>
> Well there are tools like tmpwatch and tmpreaper that periodically clean up /tmp files.
>
> On a server or system with limited ram, this might not be a great idea, since you could run out of
> memory.  I do not know if you can put a quota on it.  I just don't store a lot of junk on /tmp, so it is
> never a problem.  And I have had problems in the past with mislabeled files either via SELinux or UID problems in
> /tmp causing havoc with login.
>
> I am on a personal crusade to stop all system services (processes running as UID=0) from using /tmp. /var/tmp
>
>> I do like the idea and have just implemented it on my desktop machine
>> which has more RAM and gets shut down every day...
>>
>> Thanks...
>>
>> Mark
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>



-- 
http://intrajp.no-ip.com/ Home Page

More information about the fedora-selinux-list mailing list