Stephen Smalley (sds@xxxxxxxxxxxxx) said: > On Tue, 2006-04-18 at 16:42 -0400, Bill Nottingham wrote: > > > Considering this is scratch space that will be used just like > > > the 'stock' filesystem for various things (/var, /etc state > > > files, etc.), this seems to be the right solution. I'll try > > > this. > > > > So, this doesn't work for me... the initial mount of the tmpfs > > fails (with no avc). Subsequent mounts succeed, but, well, at that point > > you're screwed. > > Any other messages in /var/log/messages from SELinux (not just avc)? > e.g. SELinux: security_context_to_sid(xxx) failed ... Sorry, I misspoke - I did find the avc later - it was system_u:system_r:mount_t being unable to relabel a filesystem to system_u:object_r:fs_t. > It may be necessary to add allow rules to enable the fscontext= mount to > succeed, although I would have expected that to generate an avc denial > if that were the issue (unless suppressed by a dontaudit, but that seems > wrong). You would need to allow <processdomain> > <originalfstype>:filesystem relabelfrom; allow <processdomain> > <newfstype>:filesystem relabelto; Dan? Is this something generally useful, or something I should add along with the various 'mounton' policies I need to create? Related question: is there a way to install policy modules that are available for use, but not used? Having to remove the module entirely, and then rebuild/recopy it when it's needed, seems to be overkill. Bill -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
