Re: /tmp on tmpfs (was: Re: Summary/Minutes for today's FESCo meeting (2012-04-02))

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 04/02/2012 16:26, Richard W.M. Jones wrote:

On Mon, Apr 02, 2012 at 04:11:24PM -0400, David Quigley wrote:

On 04/02/2012 16:06, Richard W.M. Jones wrote:
>That's not what I said. I said that relatively recent kernels (up to 
>the middle of last year) didn't support system.*, and tmpfs doesn't


Sorry, I meant to write security.* there.


>support user.* at all AFAICT.
>
>Rich.
>
>--
>Richard Jones, Virtualization Group, Red Hat
>http://people.redhat.com/~rjones
>virt-top is 'top' for virtual machines.  Tiny program with many
>powerful monitoring features, net stats, disk stats, logging, etc.
>http://et.redhat.com/~rjones/virt-top

I wasn't contesting your statement of user.* and system.* I was just
pointing out that tmpfs has supported SELinux labels for a very long
time. Even well before Eric's patch last year that put generic xattr
handlers in. So there should be no issue at all with SELinux labels
on tmpfs even if you run older kernels.
Are you sure about this? '-o seclabel' has been backported to RHEL 6, 
but it doesn't exist on RHEL 5, nor on (upstream) 2.6.39 AFAICS.

Rich.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones 
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
You don't specify seclabel as an option. It is something that is put into the mount command to show you that a filesystem supports being able to set security labels on it. I wrote that patch back in 2009 sometime I think. Seclabel just says that the filesystem is being labeled with xattrs, transition, or task labeling types. In all of these cases in the event of an xattr handler not being present it will fall back on the LSM via vfs_set/gatxattr to set the label on the incore inode. So whether or not RHEL 5 reports seclabel in the mount options is irrelevant because its just notifying you of behavior that already existed. 

Dave
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux