Stephen Smalley wrote:
On Wed, 2005-03-23 at 13:11 +0100, dragoran wrote:doesn't seem to work:
Is it possible to use tmpfs for /tmp with selinux (targeted) ...
I tryed but got many avcs (tmp_t becomes tmpfs_t) for all files in /tmp
You could try mounting with the context= option, e.g. context=system_u:object_r:tmp_t. This will force the superblock and root directory to tmp_t, and then files created in it should pick up the usual type transitions by default (e.g. mysqld_tmp_t). However, at present, using this option disables the use of getxattr/setxattr and setfscreatecon on the filesystem, so note that ls -Z and similar programs will no longer be able to get or set contexts on /tmp.
Note to James: Possibly we should reconsider the disabling of
getxattr/setxattr and setfscreatecon for mountpoint labeling for pseudo
filesystems like tmpfs, since we are just dealing with an incore inode
SID and there is no persistent storage, so there is no inconsistency.
Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary name=.ICE-unix scontext=user_u:object_r:tmp_t tcontext=system_u:object_r:tmp_t tclass=filesystem
Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary name=.X11-unix scontext=user_u:object_r:tmp_t tcontext=system_u:object_r:tmp_t tclass=filesystem
Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): avc: denied { associate } for pid=4574 exe=/usr/bin/gdm-binary name=.X11-unix scontext=user_u:object_r:tmp_t tcontext=system_u:object_r:tmp_t tclass=filesystem
Mar 24 08:35:31 chello062178124144 kernel: audit(1111649731.447:0): avc: denied { associate } for pid=5340 exe=/usr/X11R6/bin/Xorg name=.tX0-lock scontext=user_u:object_r:tmp_t tcontext=system_u:object_r:tmp_t tclass=filesystem
