/tmp on tmpfs with selinux enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm still discovering SELinux stuff, and I ran into small problem with default targeted policy and /tmp directory. So I tought about saving a bit of my time, and wasting a bit of everybody else's time ;-). Hm, OK, maybe I shouldn't be making jokes like that... Anyhow:

Basically, I have /tmp mounted on small tmpfs file system (to keep it separate from root partition, without need for allocating dedicated disc space for it). Now, root directory of anything mounted as tmpfs will be labeled as tmpfs_t by SELinux (for example, see output of ls -Zd /dev/shm, which is by default mounted as tmpfs on Fedora and RHEL).

So far so good. What is not good is that default targeted policy mostly has rules for tmp_t, not tmpfs_t, when dealing with access to /tmp. So OK, I could grep for all rules where tmp_t is mentioned, and make another set of identical rules for tmpfs_t.

Instead of doing that, I attempted using chcon to set tmp_t context to /tmp just after it is mounted. However this doesn't seem to help. The applications that ran fine when /tmp is part of "normal" disc based ext3 file system, are blocked by SELinux when /tmp is on tmpfs. By "applications", I mainly mean postgresql database. I know about that database initialization problem with older targeted policy, and this is not the case here (database is already initialized).

The log suggests that postgresql was prevented from creating a file inside /tmp, since rule says it is allowed to do that on tmp_t, and /tmp was tmpfs_t. Which is strange. I did chcon -t tmp_t /tmp, and ls -Zd /tmp clearly shows it labeled as tmp_t. I tought anything created inside /tmp would inherit its context?

I looked into manual page for mount, and there doesn't seem to be an option (at least not ducumented in the manual page, maybe somewhere else?) to set default context for a tmpfs file system to something other than tmpfs_t.

I've also noticed that in /etc/selinux/targeted/contexts/files/file_contexts, there is this set of lines for /tmp (and similar for /var/tmp, and /usr/tmp):

/tmp       -d   system_u:object_r:tmp_t
/tmp/.*    <<none>>

I guess information in this file is used for restorecon only? Or is it also used when initially creating new files? I believe its the former, and that files inherit parent directory's context. But, if I'm wrong, this too might have something to do with my problems...

Is my only option creating dupliacte rules in targeted policy for tmpfs_t (that would mirror rules that reference tmp_t)? Or is there a way to make tmpfs based /tmp behave like it was part of "normal" ext3 file system?

--
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux