Aleksandar Milivojevic wrote:
I'm still discovering SELinux stuff, and I ran into small problem with
default targeted policy and /tmp directory. So I tought about saving
a bit of my time, and wasting a bit of everybody else's time ;-). Hm,
OK, maybe I shouldn't be making jokes like that... Anyhow:
Basically, I have /tmp mounted on small tmpfs file system (to keep it
separate from root partition, without need for allocating dedicated
disc space for it). Now, root directory of anything mounted as tmpfs
will be labeled as tmpfs_t by SELinux (for example, see output of ls
-Zd /dev/shm, which is by default mounted as tmpfs on Fedora and RHEL).
So far so good. What is not good is that default targeted policy
mostly has rules for tmp_t, not tmpfs_t, when dealing with access to
/tmp. So OK, I could grep for all rules where tmp_t is mentioned, and
make another set of identical rules for tmpfs_t.
Instead of doing that, I attempted using chcon to set tmp_t context to
/tmp just after it is mounted. However this doesn't seem to help.
The applications that ran fine when /tmp is part of "normal" disc
based ext3 file system, are blocked by SELinux when /tmp is on tmpfs.
By "applications", I mainly mean postgresql database. I know about
that database initialization problem with older targeted policy, and
this is not the case here (database is already initialized).
The log suggests that postgresql was prevented from creating a file
inside /tmp, since rule says it is allowed to do that on tmp_t, and
/tmp was tmpfs_t. Which is strange. I did chcon -t tmp_t /tmp, and
ls -Zd /tmp clearly shows it labeled as tmp_t. I tought anything
created inside /tmp would inherit its context?
I looked into manual page for mount, and there doesn't seem to be an
option (at least not ducumented in the manual page, maybe somewhere
else?) to set default context for a tmpfs file system to something
other than tmpfs_t.
I've also noticed that in
/etc/selinux/targeted/contexts/files/file_contexts, there is this set
of lines for /tmp (and similar for /var/tmp, and /usr/tmp):
/tmp -d system_u:object_r:tmp_t
/tmp/.* <<none>>
I guess information in this file is used for restorecon only? Or is
it also used when initially creating new files? I believe its the
former, and that files inherit parent directory's context. But, if
I'm wrong, this too might have something to do with my problems...
Is my only option creating dupliacte rules in targeted policy for
tmpfs_t (that would mirror rules that reference tmp_t)? Or is there a
way to make tmpfs based /tmp behave like it was part of "normal" ext3
file system?
THis was previously discussed in the fedora-selinux list. Look for a
subject of "using tmpfs for /tmp and selinux"
If you add the context mount to your fstab entry, it should work
context=system_u:object_r:tmp_t
Something like
none /tmp tmpfs defaults,context=system_u:object_r:tmp_t 0 0
--
