Package: selinux-policy-default Version: 2:2.20161023.1-9 Severity: normal Dear Maintainer,
I tried setting up a tmpfs mount on a SELinux enabled system. My fstab entry looks like this: tmpfs /tmp rootcontext=system_u:object_r:tmp_t:s0 0 0 When I boot in permissive mode, this works as expected. However, when I boot in enforcing mode, /tmp is labelled tmpfs_t, instead of tmp_t. This affects other mount points that /tmp and other labels than tmp_t as well. The default tmpfs mount points (/run, ...) do get correct labels even in enforcing mode. (Note: In permissive mode systemd sets the correct label for /tmp even when it is not explicitly specified in /etc/fstab, but this obviously does not hold for arbitrary mount points.) I set up a unit that runs "restorecon /tmp" on boot and it successfully relabels /tmp, so this may not be a permission/policy issue after all. Also, I do not see any (related) AVC denials in the log. It does not seem to make a difference (to label or logs) whether Systemd mounts /tmp on boot or if I trigger it later with "systemctl restart tmp.mount". I also tried the classical "mount /tmp" as unconfined root user and this did set the label correctly. Unlike systemd, mount would also throw an error when the label was invalid. I noticed that "systemctl show tmp.mount" does not list rootcontext in "Options". But it is listed as part of the "ExecMount" command. I also tried the "context" and "fscontext" mount options to no avail. I did not test if other filesystems than tmpfs show a similar behaviour. I am filing this against selinux-policy-default, because my impression is that it may a policy issue. But honestly this is just a guess and the issue may be elsewhere entirely. Systemd would be my next guess. The issue is easily reproducible for me in a freshly installed VM with all the defaults plus SELinux. Please let me know if you need any other information. -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libselinux1 2.6-3+b3 ii libsemanage1 2.6-2 ii libsepol1 2.6-2 ii policycoreutils 2.6-3 ii selinux-utils 2.6-3+b3 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.6-2 ii setools 4.0.1-6 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information