Bill Nottingham (notting@xxxxxxxxxx) said: > Stephen Smalley (sds@xxxxxxxxxxxxx) said: > > > However, relabeling the files then fails - for each type that I'm > > > putting on tmpfs, I need to add: > > > > > > allow <type> tmpfs_t:filesystem associate; > > > > > > before relabelling works. > > > > > > This seems strange - is this something that should be fixed in > > > the stock policy, or should I just carry this in my own module? > > > > One option is to use a fscontext= mount option to change the security > > context associated with the filesystem/superblock object to match your > > usage, e.g. making it fs_t like a conventional filesystem rather than > > tmpfs_t. e.g. > > mount -o fscontext=system_u:object_r:fs_t:s0 ... > > Considering this is scratch space that will be used just like > the 'stock' filesystem for various things (/var, /etc state > files, etc.), this seems to be the right solution. I'll try > this. So, this doesn't work for me... the initial mount of the tmpfs fails (with no avc). Subsequent mounts succeed, but, well, at that point you're screwed. Bill -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
