/tmp on tmpfs with selinux enabled

Aleksandar Milivojevic amilivojevic at pbl.ca
Fri May 6 14:59:47 UTC 2005 

I'm still discovering SELinux stuff, and I ran into small problem with 
default targeted policy and /tmp directory.  So I tought about saving a 
bit of my time, and wasting a bit of everybody else's time ;-).  Hm, OK, 
maybe I shouldn't be making jokes like that...  Anyhow:

Basically, I have /tmp mounted on small tmpfs file system (to keep it 
separate from root partition, without need for allocating dedicated disc 
space for it).  Now, root directory of anything mounted as tmpfs will be 
labeled as tmpfs_t by SELinux (for example, see output of ls -Zd 
/dev/shm, which is by default mounted as tmpfs on Fedora and RHEL).

So far so good.  What is not good is that default targeted policy mostly 
has rules for tmp_t, not tmpfs_t, when dealing with access to /tmp.  So 
OK, I could grep for all rules where tmp_t is mentioned, and make 
another set of identical rules for tmpfs_t.

Instead of doing that, I attempted using chcon to set tmp_t context to 
/tmp just after it is mounted.  However this doesn't seem to help.  The 
applications that ran fine when /tmp is part of "normal" disc based ext3 
file system, are blocked by SELinux when /tmp is on tmpfs.  By 
"applications", I mainly mean postgresql database.  I know about that 
database initialization problem with older targeted policy, and this is 
not the case here (database is already initialized).

The log suggests that postgresql was prevented from creating a file 
inside /tmp, since rule says it is allowed to do that on tmp_t, and /tmp 
was tmpfs_t.  Which is strange.  I did chcon -t tmp_t /tmp, and ls -Zd 
/tmp clearly shows it labeled as tmp_t.  I tought anything created 
inside /tmp would inherit its context?

I looked into manual page for mount, and there doesn't seem to be an 
option (at least not ducumented in the manual page, maybe somewhere 
else?) to set default context for a tmpfs file system to something other 
than tmpfs_t.

I've also noticed that in 
/etc/selinux/targeted/contexts/files/file_contexts, there is this set of 
lines for /tmp (and similar for /var/tmp, and /usr/tmp):

/tmp       -d   system_u:object_r:tmp_t
/tmp/.*    <<none>>

I guess information in this file is used for restorecon only?  Or is it 
also used when initially creating new files?  I believe its the former, 
and that files inherit parent directory's context.  But, if I'm wrong, 
this too might have something to do with my problems...

Is my only option creating dupliacte rules in targeted policy for 
tmpfs_t (that would mirror rules that reference tmp_t)?  Or is there a 
way to make tmpfs based /tmp behave like it was part of "normal" ext3 
file system?

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the users mailing list