[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: tmpfs_t
From:       "Stephen D. Smalley" <sds () epoch ! ncsc ! mil>
Date:       2003-02-04 18:36:59
[Download RAW message or body]


> For UML and busy Apache servers using tmpfs as /tmp is common practise.  The 
> current SE Linux setup will force many of the people who run big servers to 
> change their operation in a way that will hurt performance to support running 
> SE Linux.

You can use tmpfs as /tmp, as long as you are ok with the same labeling
behavior and policy for /tmp and for System V shared memory and shared
anonymous mappings.  That may be reasonable.

> I've experimented with using chcon to set the type after mounting which seems 
> to work OK.
> 
> I believe that the best option is to label the root inode of tmpfs as 
> system_u:object_r:tmp_t via initial_sid_contexts.  I've been looking at the 
> kernel code, is superblock_doinit() the right place to do a change?

Doesn't help.  We already provide labeling for tmpfs (see the tmpfs entry
in policy/fs_use).  There is only an issue if you want to distinguish
different instances of tmpfs mounts.

--
Stephen Smalley, NSA
sds@epoch.ncsc.mil


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]