So having a rather tricky time trying to set the correct selinux context for a tmpfs mount.
Short version
I am using a tmpfs mount for n-central to log to, since it generates a lot of spam, and then use rsync to persist on shutdown and restore on startup.
fstab
tmpfs /var/log/n-central tmpfs defaults,noatime,mode=0755,size=10M,context=system_u:object_r:var_log_n_central_t 0 0
policy (te)
module nagent-log-rsync 1.0;
require {
type rsync_t;
type user_tmp_t;
type logrotate_t;
class dir setattr;
class file { create getattr open read rename setattr unlink write };
}
# Define custom types for /var/log/n-central/ and /var/log/n-central-persist/
type var_log_n_central_t;
type var_log_n_central_persist_t;
#============= rsync_t ==============
allow rsync_t var_log_n_central_t:dir setattr;
allow rsync_t var_log_n_central_t:file { create getattr open read rename setattr unlink write };
allow rsync_t var_log_n_central_persist_t:dir setattr;
allow rsync_t var_log_n_central_persist_t:file { create getattr open read rename setattr unlink write };
allow rsync_t user_tmp_t:file open;
allow rsync_t user_tmp_t:file unlink;
#============= logrotate_t ==============
allow logrotate_t var_log_n_central_t:file { getattr open read write rename create unlink setattr };
contexts (fc)
/var/log/n-central(/.*)? system_u:object_r:var_log_n_central_t:s0
/var/log/n-central-persist(/.*)? system_u:object_r:var_log_n_central_persist_t:s0
How I compiled & actioned the policy
checkmodule -M -m -o nagent-log-rsync.mod nagent-log-rsync.te
semodule_package -o nagent-log-rsync.pp -m nagent-log-rsync.mod -f nagent-log-rsync.fc
sudo semodule -i nagent-log-rsync.pp
Problem
The moment I add ,context=system_u:object_r:var_log_n_central_t
to the fstab I cant remount, boot will fail horribly too.
The policy is loaded.
> seinfo -t | grep var_log_n_central_t
var_log_n_central_t
> sudo sesearch -A | grep n_central
allow logrotate_t var_log_n_central_t:file { create getattr open read rename setattr unlink write };
allow rsync_t var_log_n_central_persist_t:dir setattr;
allow rsync_t var_log_n_central_persist_t:file { create getattr open read rename setattr unlink write };
allow rsync_t var_log_n_central_t:dir setattr;
allow rsync_t var_log_n_central_t:file { create getattr open read rename setattr unlink write };
But remount just fails with no clear error
> sudo mount -o remount -v /var/log/n-central
mount: /var/log/n-central: mount point not mounted or bad option.
dmesg(1) may have more information after failed mount system call.
# dmesg
[ 1180.152547] SELinux: security_context_str_to_sid (system_u:object_r:var_log_n_central_t) failed with errno=-22
Just not really sure what to do from here or what I missed?