Bug 151957 - SELinux FAQ - How do I use tmpfs for /tmp?
SELinux FAQ - How do I use tmpfs for /tmp?
Status: CLOSED WONTFIX
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
devel
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Wade
Tammy Fox
http://fedora.redhat.com/docs/selinux...
:
Depends On:
Blocks: 118757
  Show dependency treegraph
 
Reported: 2005-03-23 15:33 EST by Karsten Wade
Modified: 2009-02-27 16:50 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-27 16:50:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Karsten Wade 2005-03-23 15:33:58 EST
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

> Is it possible to use tmpfs for /tmp with selinux (targeted) ...
> I tryed but got many avcs (tmp_t becomes tmpfs_t) for all files in /tmp

You could try mounting with the context= option, e.g.
context=system_u:object_r:tmp_t.  This will force the superblock and
root directory to tmp_t, and then files created in it should pick up the
usual type transitions by default (e.g. mysqld_tmp_t).  However, at
present, using this option disables the use of getxattr/setxattr and
setfscreatecon on the filesystem, so note that ls -Z and similar
programs will no longer be able to get or set contexts on /tmp.



Version-Release of FAQ (found on
http://fedora.redhat.com/docs/selinux-faq-fc3/ln-legalnotice.php),
for example:

  selinux-faq-1.3-8 (2005-01-20-T16:20-0800)
Comment 1 Karsten Wade 2005-03-24 18:53:16 EST
> doesn't seem to work:
> Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
> avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
> name=.ICE-unix scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem
> Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
> avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
> name=.X11-unix scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem
> Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
> avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
> name=.X11-unix scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem
> Mar 24 08:35:31 chello062178124144 kernel: audit(1111649731.447:0): 
> avc:  denied  { associate } for  pid=5340 exe=/usr/X11R6/bin/Xorg 
> name=.tX0-lock scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem

Ah, yes - you would need policy changes as well, e.g.
        allow tmpfile tmp_t:filesystem associate;
Comment 2 Susan Lauber 2009-02-27 16:50:47 EST
Not even sure what this was supposed to be covering....
I am closing this ancient bug.

FYI
The is an FC5 FAQ http://docs.fedoraproject.org/selinux-faq/
and a list of proposed updates in the wiki at
https://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions

Additional FAQ work will likely remain in the wiki but there is also
a F10 SELinux Users Guide http://docs.fedoraproject.org/selinux-user-guide/

Note You need to log in before you can comment on or make changes to this bug.