Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: I would like to propose some kind of consolidation of tmpfs_t and tmp_t
From: Stephen Smalley <sds_at_tycho.nsa.gov>
Date: Thu, 24 Mar 2005 09:37:37 -0500
tmpfs can be used for several different purposes, including a kernel internal mount for shared anon mappings and System V shared memory, a mount on /dev/shm for POSIX shared memory, a mount on /dev for udev, optionally /tmp and /var/tmp, etc. The original tmpfs rules were oriented toward controlling shared memory access by a domain. For /dev, I think that the Fedora solution was to run restorecon from rc.sysinit to reset the security context on the top-level /dev directory and any nodes already created, while leaving the fscontext unmodified, whereas others have been using a fscontext= mount for it. For /tmp, a fscontext= mount seems to have an issue in that it is still using type transitions for labeling inodes (including the root), so we end up with mount_tmp_t on /tmp at least under strict policy. Possibly we could/should change the way that works for the root inode. For context= mounts, we get the desired behavior (tmp_t on /tmp and typical derived types on files created under it), but we lose the ability to [gs]etfilecon and setfscreatecon on /tmp presently (which we could/should also change at least for tmpfs). We also need a policy change (allow tmpfile tmp_t:filesystem associate;), but that is trivial. The concern with collapsing tmpfs_t and tmp_t together (and $1_tmpfs_t and $1_tmp_t as well, to avoid type transition conflicts, which would occur quite extensively with strict policy) is that it means that policy can no longer distinguish between a domain's ability to act on /tmp files versus its ability to act on shared memory objects (aside from the additional controls on System V shared memory). If everyone were using tmpfs /tmp, that might be less of a concern, as a tmpfs file is effectively a shared memory object too. But if some people still want to use a traditional /tmp, then they might care about the distinction. -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Thu 24 Mar 2005 - 09:45:33 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |