Description of problem: Locally, we mount /tmp as a tmpfs filesystem: tmpfs /tmp tmpfs defaults 0 0 tmpfs on /tmp type tmpfs (rw) Tried to move some files into /tmp and got: Mar 28 10:12:37 cynosure kernel: audit(1143565957.886:1719): avc: denied { associate } for pid=25059 comm="mv" name="qt-i386.conf" scontext=system_u:object_r:etc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem Moving to /var/tmp worked. Version-Release number of selected component (if applicable): selinux-policy-2.2.25-2.fc5
There should be a line in /etc/rc.sysinit restoring the context to tmp_t? restorecon /tmp should eliminate this problem, and this is supposed to happen on boot? Dan
rc.sysinit: # Clean up various /tmp bits [ -n "$SELINUX_STATE" ] && restorecon /tmp Currently: # ls -ldZ /tmp drwxrwxrwt root root system_u:object_r:tmp_t /tmp Try: # restorecon -v /tmp # ls -Zd /tmp drwxrwxrwt root root system_u:object_r:tmp_t /tmp Still no go: # mv install.log /tmp mv: cannot create regular file `/tmp/install.log': Permission denied Mar 28 15:33:44 cynosure kernel: audit(1143585224.975:1730): avc: denied { associate } for pid=7214 comm="mv" name="install.log" scontext=system_u:object_r:file_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem Issue with underlying mount point dir? I'll have to log out to check...
Where diff the file install.log come from? It is labeled file_t which means it has no file context or is unlabeled? So the question is how did this file become unlabeled. If you execute restorecon install.log and then mv it, it will work.
Ah, so it's the scontext that is important here: restorecon reset /root/install.log context system_u:object_r:file_t->root:object_r:user_home_t [root@cynosure ~]# mv install.log /tmp [root@cynosure ~]# So, getting back to the original report: [root@cynosure ~]# mv /etc/ld.so.conf.d/* /tmp mv: cannot create regular file `/tmp/octave-i386.conf': Permission denied mv: cannot create regular file `/tmp/qt-i386.conf': Permission denied for pid=13638 comm="mv" name="octave-i386.conf" scontext=system_u:object_r:etc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem Mar 29 09:36:14 cynosure kernel: audit(1143650174.631:1738): avc: denied { associate } for pid=13638 comm="mv" name="qt-i386.conf" scontext=system_u:object_r:etc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem Mar 29 09:37:05 cynosure kernel: SELinux: initialized (dev 0:11, type nfs), uses genfs_contexts Now, I'm not sure why this should be prevented, though I could perhaps understand why. But I can do: [root@cynosure ~]# rm -f /etc/ld.so.conf.d/* [root@cynosure ~]# Which is essentially the same thing as far as /etc/ld.so.conf.d/ is concerned.
Fixed in selinux-policy-2.2.38-2 in rawhide. Will show up next week in FC5.
Confirmed.