problems with tmpfs and relabeling
Bill Nottingham
notting at redhat.com
Wed Apr 19 14:12:46 UTC 2006
Stephen Smalley (sds at tycho.nsa.gov) said:
> On Tue, 2006-04-18 at 16:42 -0400, Bill Nottingham wrote:
> > > Considering this is scratch space that will be used just like
> > > the 'stock' filesystem for various things (/var, /etc state
> > > files, etc.), this seems to be the right solution. I'll try
> > > this.
> >
> > So, this doesn't work for me... the initial mount of the tmpfs
> > fails (with no avc). Subsequent mounts succeed, but, well, at that point
> > you're screwed.
>
> Any other messages in /var/log/messages from SELinux (not just avc)?
> e.g. SELinux: security_context_to_sid(xxx) failed ...
Sorry, I misspoke - I did find the avc later - it was
system_u:system_r:mount_t being unable to relabel a filesystem
to system_u:object_r:fs_t.
> It may be necessary to add allow rules to enable the fscontext= mount to
> succeed, although I would have expected that to generate an avc denial
> if that were the issue (unless suppressed by a dontaudit, but that seems
> wrong). You would need to allow <processdomain>
> <originalfstype>:filesystem relabelfrom; allow <processdomain>
> <newfstype>:filesystem relabelto; Dan?
Is this something generally useful, or something I should add along
with the various 'mounton' policies I need to create?
Related question: is there a way to install policy modules that
are available for use, but not used? Having to remove the module
entirely, and then rebuild/recopy it when it's needed, seems to
be overkill.
Bill
More information about the fedora-selinux-list
mailing list