FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-08-2012, 10:36 PM
Bennett Haselton
 
Default filesystem relabeling not working for /tmp after enabling SELinux

Quick version: Anyone know why, if you try to relabel your filesystem
for SELinux, files in /tmp do not get relabeled?


Detailed version:

I have a CentOS 5.7 machine where I am trying to enable SELinux to
improve the machine's security.


I specified "SELINUX=permissive" in /etc/selinux/config and rebooted,
and sestatus reports that it's on:

[root@g6950-21025 tmp]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted

But when I try to relabel the filesystem, files in /tmp do not get
relabeled, although files everywhere except /tmp do get relabeled
properly. I relabeled by doing

# genhomedircon
# touch /.autorelabel
# reboot
in accordance with directions at
http://wiki.centos.org/HowTos/SELinux
and the /.autorelabel was deleted after I rebooted (indicating that it
had been processed), and most files were relabeled correctly:

>>
[root@g6950-21025 tmp]# ls -lZ /var/www/html/robots.txt
-rw-rw-rw- root root system_ubject_r:httpd_sys_content_t
/var/www/html/robots.txt

>>
However, the ones in /tmp were not:
>>
[root@g6950-21025 tmp]# ls -lZ /tmp/hostname_SKYSLICE.INFO
-rw-r--r-- apache apache system_ubject_r:file_t
/tmp/hostname_SKYSLICE.INFO

>>

(sealert says that any file of type "file_t" means it was not relabeled
properly.) I have a number of CGI scripts that rely on reading and
writing to files in the /tmp directory and SELinux would block most of
them from working because of the labeling problem. (Plus PHP writes to
/tmp so I assume many PHP scripts would have errors as well.)


Any idea why the files in /tmp were not relabeled, and how to fix it?

My only guess is that since I think /tmp is a different partition, maybe
the relabeling relabeled everything on the "/" partition but not on
/tmp? If that's correct, how would I fix it? I tried creating a file
at /tmp/.autorelabel and rebooting, but that didn't work (and the file
did not get deleted, suggesting it wasn't processed at all).


Bennett
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:43 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org