Stephen Smalley wrote:
On Wed, 2005-03-23 at 13:11 +0100, dragoran wrote:
>Is it possible to use tmpfs for /tmp with selinux (targeted) ...
>I tryed but got many avcs (tmp_t becomes tmpfs_t) for all files in /tmp
>
>
You could try mounting with the context= option, e.g.
context=system_u:object_r:tmp_t. This will force the superblock and
root directory to tmp_t, and then files created in it should pick up the
usual type transitions by default (e.g. mysqld_tmp_t). However, at
present, using this option disables the use of getxattr/setxattr and
setfscreatecon on the filesystem, so note that ls -Z and similar
programs will no longer be able to get or set contexts on /tmp.
Note to James: Possibly we should reconsider the disabling of
getxattr/setxattr and setfscreatecon for mountpoint labeling for pseudo
filesystems like tmpfs, since we are just dealing with an incore inode
SID and there is no persistent storage, so there is no inconsistency.
doesn't seem to work:
Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0):
avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary
name=.ICE-unix scontext=user_u:object_r:tmp_t
tcontext=system_u:object_r:tmp_t tclass=filesystem
Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0):
avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary
name=.X11-unix scontext=user_u:object_r:tmp_t
tcontext=system_u:object_r:tmp_t tclass=filesystem
Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0):
avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary
name=.X11-unix scontext=user_u:object_r:tmp_t
tcontext=system_u:object_r:tmp_t tclass=filesystem
Mar 24 08:35:31 chello062178124144 kernel: audit(1111649731.447:0):
avc: denied { associate } for pid=5340 exe=/usr/X11R6/bin/Xorg
name=.tX0-lock scontext=user_u:object_r:tmp_t
tcontext=system_u:object_r:tmp_t tclass=filesystem