Quick version: Anyone know why, if you try to relabel your filesystem for SELinux, files in /tmp do not get relabeled?
Detailed version:
I have a CentOS 5.7 machine where I am trying to enable SELinux to improve the machine's security.
I specified "SELINUX=permissive" in /etc/selinux/config and rebooted, and sestatus reports that it's on: [root@g6950-21025 tmp]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 21 Policy from config file: targeted
But when I try to relabel the filesystem, files in /tmp do not get relabeled, although files everywhere except /tmp do get relabeled properly. I relabeled by doing # genhomedircon # touch /.autorelabel # reboot in accordance with directions at http://wiki.centos.org/HowTos/SELinux and the /.autorelabel was deleted after I rebooted (indicating that it had been processed), and most files were relabeled correctly:
[root@g6950-21025 tmp]# ls -lZ /var/www/html/robots.txt -rw-rw-rw- root root system_u:object_r:httpd_sys_content_t /var/www/html/robots.txt
However, the ones in /tmp were not:
[root@g6950-21025 tmp]# ls -lZ /tmp/hostname_SKYSLICE.INFO -rw-r--r-- apache apache system_u:object_r:file_t /tmp/hostname_SKYSLICE.INFO
(sealert says that any file of type "file_t" means it was not relabeled properly.) I have a number of CGI scripts that rely on reading and writing to files in the /tmp directory and SELinux would block most of them from working because of the labeling problem. (Plus PHP writes to /tmp so I assume many PHP scripts would have errors as well.)
Any idea why the files in /tmp were not relabeled, and how to fix it?
My only guess is that since I think /tmp is a different partition, maybe the relabeling relabeled everything on the "/" partition but not on /tmp? If that's correct, how would I fix it? I tried creating a file at /tmp/.autorelabel and rebooting, but that didn't work (and the file did not get deleted, suggesting it wasn't processed at all).
Bennett
selinux@lists.fedoraproject.org