SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: I would like to propose some kind of consolidation of tmpfs_t and tmp_t This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Daniel J Walsh <dwalsh_at_redhat.com> Date: Thu, 24 Mar 2005 15:06:08 -0500 Stephen Smalley wrote: >On Thu, 2005-03-24 at 09:37 -0500, Stephen Smalley wrote: > > >>For /tmp, a fscontext= mount seems to have an issue in that it is still >>using type transitions for labeling inodes (including the root), so we >>end up with mount_tmp_t on /tmp at least under strict policy. Possibly >>we could/should change the way that works for the root inode. >> >> > >Possible workaround - mount with fscontext=, then run restorecon /tmp >(not recursively, just on the top-level directory) from rc.sysinit. >That would get us tmp_t on the superblock and tmp_t on the root >directory. Then you just need a few policy modifications like allow >tmpfile_t tmp_t:filesystem associate;, and you still can perform >[gs]etfilecon and setfscreatecon on the filesystem. > > > I don't think we have do do any of that. It seems to work if you do a restorecon /tmp in the init scripts. I am running strict policy with tmpfs mounted on /tmp mount /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) none on /proc type proc (rw) none on /sys type sysfs (rw) none on /dev/pts type devpts (rw,gid=5,mode=620) /dev/hda1 on /boot type ext3 (rw) none on /tmp type tmpfs (rw) none on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) -- --- initscripts-8.05/rc.d/rc.sysinit~ 2005-03-24 15:02:51.000000000 -0500 +++ initscripts-8.05/rc.d/rc.sysinit 2005-03-24 15:03:11.000000000 -0500 @@ -593,6 +593,7 @@ fi # Clean up various /tmp bits +restorecon /tmp rm -f /tmp/.X-lock /tmp/.lock. /tmp/.gdm_socket /tmp/.s.PGSQL.* rm -rf /tmp/.X-unix /tmp/.ICE-unix /tmp/.font-unix /tmp/hsperfdata_ \ /tmp/kde-* /tmp/ksocket-* /tmp/mc-* /tmp/mcop-* /tmp/orbit-* \ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 24 Mar 2005 - 15:09:45 EST This message: [ Message body ] Next message: Tom: "Re: Do you trust X server?" Previous message: Daniel J Walsh: "Re: setsebool problems" In reply to: Stephen Smalley: "Re: I would like to propose some kind of consolidation of tmpfs_t and tmp_t" Next in thread: Stephen Smalley: "Re: I would like to propose some kind of consolidation of tmpfs_t and tmp_t" Reply: Stephen Smalley: "Re: I would like to propose some kind of consolidation of tmpfs_t and tmp_t" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom