From: Russell Coker <russell@coker.com.au>
To: "Stephen D. Smalley" <sds@epoch.ncsc.mil>, selinux@tycho.nsa.gov
Subject: Re: tmpfs_t
Date: Sat, 1 Feb 2003 23:51:48 +0100 [thread overview]
Message-ID: <200302012351.48969.russell@coker.com.au> (raw)
In-Reply-To: <200301271320.IAA05862@moss-shockers.ncsc.mil>
On Mon, 27 Jan 2003 14:20, Stephen D. Smalley wrote:
> The problem is that tmpfs is also used for the kernel internal mount
> for System V shared memory and shared anonymous mappings. The current
> fs_use configuration and the existing $1_tmpfs_t types and rules are
> oriented toward that usage of tmpfs. Distinguishing different instances
> of tmpfs mounts and providing different labeling behaviors and contexts
> for those different instances would require further changes to SELinux.
I believe that changes are required.
For UML and busy Apache servers using tmpfs as /tmp is common practise. The
current SE Linux setup will force many of the people who run big servers to
change their operation in a way that will hurt performance to support running
SE Linux.
I've experimented with using chcon to set the type after mounting which seems
to work OK.
I believe that the best option is to label the root inode of tmpfs as
system_u:object_r:tmp_t via initial_sid_contexts. I've been looking at the
kernel code, is superblock_doinit() the right place to do a change?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2003-02-01 22:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-27 13:20 tmpfs_t Stephen D. Smalley
2003-02-01 22:51 ` Russell Coker [this message]
2003-02-04 7:58 ` SELinux question? Daniel J Walsh
2003-02-04 14:46 ` Tom
2003-02-04 15:49 ` Daniel J Walsh
2003-02-04 16:31 ` Russell Coker
2003-02-04 16:51 ` Frank Mayer
-- strict thread matches above, loose matches on Subject: below --
2003-02-04 18:36 tmpfs_t Stephen D. Smalley
2003-01-25 15:57 tmpfs_t Russell Coker
2003-01-27 11:16 ` tmpfs_t Carsten Grohmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200302012351.48969.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.