Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 151957

Summary: SELinux FAQ - How do I use tmpfs for /tmp?
Product: [Retired] Fedora Documentation Reporter: Karsten Wade <kwade>
Component: selinux-faqAssignee: Karsten Wade <kwade>
Status: CLOSED WONTFIX QA Contact: Tammy Fox <tammy.c.fox>
Severity: medium Docs Contact:
Priority: medium    
Version: develCC: laubersm+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://fedora.redhat.com/docs/selinux-faq-fc3/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-27 21:50:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 118757    

Description Karsten Wade 2005-03-23 20:33:58 UTC 
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

> Is it possible to use tmpfs for /tmp with selinux (targeted) ...
> I tryed but got many avcs (tmp_t becomes tmpfs_t) for all files in /tmp

You could try mounting with the context= option, e.g.
context=system_u:object_r:tmp_t.  This will force the superblock and
root directory to tmp_t, and then files created in it should pick up the
usual type transitions by default (e.g. mysqld_tmp_t).  However, at
present, using this option disables the use of getxattr/setxattr and
setfscreatecon on the filesystem, so note that ls -Z and similar
programs will no longer be able to get or set contexts on /tmp.



Version-Release of FAQ (found on
http://fedora.redhat.com/docs/selinux-faq-fc3/ln-legalnotice.php),
for example:

  selinux-faq-1.3-8 (2005-01-20-T16:20-0800)
Comment 1 Karsten Wade 2005-03-24 23:53:16 UTC 
> doesn't seem to work:
> Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
> avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
> name=.ICE-unix scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem
> Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
> avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
> name=.X11-unix scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem
> Mar 24 08:35:28 chello062178124144 kernel: audit(1111649728.433:0): 
> avc:  denied  { associate } for  pid=4574 exe=/usr/bin/gdm-binary 
> name=.X11-unix scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem
> Mar 24 08:35:31 chello062178124144 kernel: audit(1111649731.447:0): 
> avc:  denied  { associate } for  pid=5340 exe=/usr/X11R6/bin/Xorg 
> name=.tX0-lock scontext=user_u:object_r:tmp_t 
> tcontext=system_u:object_r:tmp_t tclass=filesystem

Ah, yes - you would need policy changes as well, e.g.
        allow tmpfile tmp_t:filesystem associate;
Comment 2 Susan Lauber 2009-02-27 21:50:47 UTC 
Not even sure what this was supposed to be covering....
I am closing this ancient bug.

FYI
The is an FC5 FAQ http://docs.fedoraproject.org/selinux-faq/
and a list of proposed updates in the wiki at
https://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions

Additional FAQ work will likely remain in the wiki but there is also
a F10 SELinux Users Guide http://docs.fedoraproject.org/selinux-user-guide/