filesystem relabeling not working for /tmp after enabling SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Quick version: Anyone know why, if you try to relabel your filesystem for SELinux, files in /tmp do not get relabeled? 

Detailed version:
I have a CentOS 5.7 machine where I am trying to enable SELinux to improve the machine's security.
I specified "SELINUX=permissive" in /etc/selinux/config and rebooted, and sestatus reports that it's on: 
[root@g6950-21025 tmp]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        targeted
But when I try to relabel the filesystem, files in /tmp do not get relabeled, although files everywhere except /tmp do get relabeled properly. I relabeled by doing 
# genhomedircon
# touch /.autorelabel
# reboot
in accordance with directions at
http://wiki.centos.org/HowTos/SELinux
and the /.autorelabel was deleted after I rebooted (indicating that it had been processed), and most files were relabeled correctly: 
>>
[root@g6950-21025 tmp]# ls -lZ /var/www/html/robots.txt
-rw-rw-rw- root root system_u:object_r:httpd_sys_content_t /var/www/html/robots.txt 
>>
However, the ones in /tmp were not:
>>
[root@g6950-21025 tmp]# ls -lZ /tmp/hostname_SKYSLICE.INFO
-rw-r--r-- apache apache system_u:object_r:file_t /tmp/hostname_SKYSLICE.INFO 
>>
(sealert says that any file of type "file_t" means it was not relabeled properly.) I have a number of CGI scripts that rely on reading and writing to files in the /tmp directory and SELinux would block most of them from working because of the labeling problem. (Plus PHP writes to /tmp so I assume many PHP scripts would have errors as well.) 

Any idea why the files in /tmp were not relabeled, and how to fix it?
My only guess is that since I think /tmp is a different partition, maybe the relabeling relabeled everything on the "/" partition but not on /tmp? If that's correct, how would I fix it? I tried creating a file at /tmp/.autorelabel and rebooting, but that didn't work (and the file did not get deleted, suggesting it wasn't processed at all). 

Bennett
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux