filesystem relabeling not working for /tmp after enabling SELinux

Bennett Haselton bennett at peacefire.org
Sun Jan 8 23:36:59 UTC 2012 

Quick version: Anyone know why, if you try to relabel your filesystem 
for SELinux, files in /tmp do not get relabeled?

Detailed version:

I have a CentOS 5.7 machine where I am trying to enable SELinux to 
improve the machine's security.

I specified "SELINUX=permissive" in /etc/selinux/config and rebooted, 
and sestatus reports that it's on:
[root at g6950-21025 tmp]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        targeted

But when I try to relabel the filesystem, files in /tmp do not get 
relabeled, although files everywhere except /tmp do get relabeled 
properly.  I relabeled by doing
# genhomedircon
# touch /.autorelabel
# reboot
in accordance with directions at
http://wiki.centos.org/HowTos/SELinux
and the /.autorelabel was deleted after I rebooted (indicating that it 
had been processed), and most files were relabeled correctly:
 >>
[root at g6950-21025 tmp]# ls -lZ /var/www/html/robots.txt
-rw-rw-rw-  root root system_u:object_r:httpd_sys_content_t 
/var/www/html/robots.txt
 >>
However, the ones in /tmp were not:
 >>
[root at g6950-21025 tmp]# ls -lZ /tmp/hostname_SKYSLICE.INFO
-rw-r--r--  apache apache system_u:object_r:file_t         
/tmp/hostname_SKYSLICE.INFO
 >>

(sealert says that any file of type "file_t" means it was not relabeled 
properly.)  I have a number of CGI scripts that rely on reading and 
writing to files in the /tmp directory and SELinux would block most of 
them from working because of the labeling problem.  (Plus PHP writes to 
/tmp so I assume many PHP scripts would have errors as well.)

Any idea why the files in /tmp were not relabeled, and how to fix it?

My only guess is that since I think /tmp is a different partition, maybe 
the relabeling relabeled everything on the "/" partition but not on 
/tmp?  If that's correct, how would I fix it?  I tried creating a file 
at /tmp/.autorelabel and rebooting, but that didn't work (and the file 
did not get deleted, suggesting it wasn't processed at all).

Bennett

More information about the selinux mailing list