/tmp on tmpfs (was: Re: Summary/Minutes for today's FESCo meeting (2012-04-02))
David Quigley
selinux at davequigley.com
Mon Apr 2 20:11:24 UTC 2012
On 04/02/2012 16:06, Richard W.M. Jones wrote:
> On Mon, Apr 02, 2012 at 04:04:23PM -0400, David Quigley wrote:
>> On 04/02/2012 15:58, Richard W.M. Jones wrote:
>> >On Mon, Apr 02, 2012 at 08:32:56PM +0200, Miloslav Trmač wrote:
>> >>* #834 F18 Feature: /tmp on tmpfs -
>> >> http://fedoraproject.org/wiki/Features/tmp-on-tmpfs (mitr,
>> >>17:40:06)
>> >> * AGREED: tmp-on-tmpfs is accepted (+5 -3) (mitr, 18:12:52)
>> >
>> >Actually I think this is a good feature, but ...
>> >
>> >The feature page is wrong about "The user experience should barely
>> >change. This is mostly a low-level change that has little
>> visibility
>> >to the user."
>> >
>> >tmpfs is different in a number of important ways:
>> >
>> > - it's very limited in space compared to a real disk
>> >
>> > - it doesn't support O_DIRECT
>> >
>> > - it doesn't support user extended attrs; and not very old kernels
>> > didn't support any xattrs at all, meaning things like SELinux
>> > labels don't work
>> >
>> >All this means it's going to need a bit more testing, since
>> >potentially any package that stores a file on /tmp should be tested
>> >and may need to be fixed.
>> >
>> >Rich.
>> >
>> >--
>> >Richard Jones, Virtualization Group, Red Hat
>> >http://people.redhat.com/~rjones
>> >New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
>> >programs, test, and build Windows installers. Over 70 libraries
>> >supprt'd
>> >http://fedoraproject.org/wiki/MinGW
>> >http://www.annexia.org/fedora_mingw
>>
>>
>> I really need to remember to send with the right user identity for
>> this list.
>>
>> <resend of my message since its going to bounce>
>>
>> That third part is not correct. tmpfs supports SELinux labels. If
>> you mount a tmpfs filesystem you'll see it reports seclabel as one
>> of the mount options. You can also just use chcon -t to set the type
>> on any file you like. SELinux labels are stored in the security
>> namespace which is separate from user extended attributes.
>
> That's not what I said. I said that relatively recent kernels (up to
> the middle of last year) didn't support system.*, and tmpfs doesn't
> support user.* at all AFAICT.
>
> Rich.
>
> --
> Richard Jones, Virtualization Group, Red Hat
> http://people.redhat.com/~rjones
> virt-top is 'top' for virtual machines. Tiny program with many
> powerful monitoring features, net stats, disk stats, logging, etc.
> http://et.redhat.com/~rjones/virt-top
I wasn't contesting your statement of user.* and system.* I was just
pointing out that tmpfs has supported SELinux labels for a very long
time. Even well before Eric's patch last year that put generic xattr
handlers in. So there should be no issue at all with SELinux labels on
tmpfs even if you run older kernels.
Dave
More information about the devel
mailing list