151957 – SELinux FAQ - How do I use tmpfs for /tmp?

Bug 151957 - SELinux FAQ - How do I use tmpfs for /tmp?

Summary: SELinux FAQ - How do I use tmpfs for /tmp?

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora Documentation
Classification:	Fedora
Component:	selinux-faq
Sub Component:
Version:	devel
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Karsten Wade
QA Contact:	Tammy Fox
Docs Contact:
URL:	http://fedora.redhat.com/docs/selinux...
Whiteboard:
Depends On:
Blocks:	118757
TreeView+	depends on / blocked

Reported:	2005-03-23 20:33 UTC by Karsten Wade
Modified:	2009-02-27 21:50 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-02-27 21:50:47 UTC
Embargoed:

Attachments	(Terms of Use)

Description Karsten Wade 2005-03-23 20:33:58 UTC

Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

> Is it possible to use tmpfs for /tmp with selinux (targeted) ...
> I tryed but got many avcs (tmp_t becomes tmpfs_t) for all files in /tmp

You could try mounting with the context= option, e.g.
context=system_u:object_r:tmp_t.  This will force the superblock and
root directory to tmp_t, and then files created in it should pick up the
usual type transitions by default (e.g. mysqld_tmp_t).  However, at
present, using this option disables the use of getxattr/setxattr and
setfscreatecon on the filesystem, so note that ls -Z and similar
programs will no longer be able to get or set contexts on /tmp.



Version-Release of FAQ (found on
http://fedora.redhat.com/docs/selinux-faq-fc3/ln-legalnotice.php),
for example:

  selinux-faq-1.3-8 (2005-01-20-T16:20-0800)

Comment 1 Karsten Wade 2005-03-24 23:53:16 UTC

> doesn't seem to work:
> Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
> avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
> name=.ICE-unix scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem
> Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
> avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
> name=.X11-unix scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem
> Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
> avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
> name=.X11-unix scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem
> Mar 24 08:35:31 chello062178124144 kernel: audit(1111649731.447:0): 
> avc:  denied  { associate } for  pid=5340 exe=/usr/X11R6/bin/Xorg 
> name=.tX0-lock scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem

Ah, yes - you would need policy changes as well, e.g.
        allow tmpfile tmp_t:filesystem associate;

Comment 2 Susan Lauber 2009-02-27 21:50:47 UTC

Not even sure what this was supposed to be covering....
I am closing this ancient bug.

FYI
The is an FC5 FAQ http://docs.fedoraproject.org/selinux-faq/
and a list of proposed updates in the wiki at
https://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions

Additional FAQ work will likely remain in the wiki but there is also
a F10 SELinux Users Guide http://docs.fedoraproject.org/selinux-user-guide/

Note You need to log in before you can comment on or make changes to this bug.