Stephen Smalley wrote:

>On Thu, 2005-03-24 at 09:37 -0500, Stephen Smalley wrote:
>  
>
>>For /tmp, a fscontext= mount seems to have an issue in that it is still
>>using type transitions for labeling inodes (including the root), so we
>>end up with mount_tmp_t on /tmp at least under strict policy.  Possibly
>>we could/should change the way that works for the root inode.
>>    
>>
>
>Possible workaround - mount with fscontext=, then run restorecon /tmp
>(not recursively, just on the top-level directory) from rc.sysinit.
>That would get us tmp_t on the superblock and tmp_t on the root
>directory.  Then you just need a few policy modifications like allow
>tmpfile_t tmp_t:filesystem associate;, and you still can perform
>[gs]etfilecon and setfscreatecon on the filesystem.
>
>  
>
I don't think we have do do any of that.  It seems to work if you do a
restorecon /tmp
in the init scripts.

I am running strict policy with tmpfs mounted on /tmp

mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/hda1 on /boot type ext3 (rw)
none on /tmp type tmpfs (rw)
none on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)


--