/tmp on tmpfs (was: Re: Summary/Minutes for today's FESCo meeting (2012-04-02))
David Quigley
selinux at davequigley.com
Mon Apr 2 20:40:38 UTC 2012
On 04/02/2012 16:26, Richard W.M. Jones wrote:
> On Mon, Apr 02, 2012 at 04:11:24PM -0400, David Quigley wrote:
>> On 04/02/2012 16:06, Richard W.M. Jones wrote:
>> >That's not what I said. I said that relatively recent kernels (up
>> to
>> >the middle of last year) didn't support system.*, and tmpfs doesn't
>
> Sorry, I meant to write security.* there.
>
>> >support user.* at all AFAICT.
>> >
>> >Rich.
>> >
>> >--
>> >Richard Jones, Virtualization Group, Red Hat
>> >http://people.redhat.com/~rjones
>> >virt-top is 'top' for virtual machines. Tiny program with many
>> >powerful monitoring features, net stats, disk stats, logging, etc.
>> >http://et.redhat.com/~rjones/virt-top
>>
>> I wasn't contesting your statement of user.* and system.* I was just
>> pointing out that tmpfs has supported SELinux labels for a very long
>> time. Even well before Eric's patch last year that put generic xattr
>> handlers in. So there should be no issue at all with SELinux labels
>> on tmpfs even if you run older kernels.
>
> Are you sure about this? '-o seclabel' has been backported to RHEL
> 6,
> but it doesn't exist on RHEL 5, nor on (upstream) 2.6.39 AFAICS.
>
> Rich.
>
> --
> Richard Jones, Virtualization Group, Red Hat
> http://people.redhat.com/~rjones
> New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
> programs, test, and build Windows installers. Over 70 libraries
> supprt'd
> http://fedoraproject.org/wiki/MinGW
> http://www.annexia.org/fedora_mingw
You don't specify seclabel as an option. It is something that is put
into the mount command to show you that a filesystem supports being able
to set security labels on it. I wrote that patch back in 2009 sometime I
think. Seclabel just says that the filesystem is being labeled with
xattrs, transition, or task labeling types. In all of these cases in the
event of an xattr handler not being present it will fall back on the LSM
via vfs_set/gatxattr to set the label on the incore inode. So whether or
not RHEL 5 reports seclabel in the mount options is irrelevant because
its just notifying you of behavior that already existed.
Dave
More information about the devel
mailing list