[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: noexec mount-option with selinux?

From: Stephen Smalley <sds tycho nsa gov>
To: Marten Lehmann <lehmann cnm de>
Cc: fedora-selinux-list redhat com
Subject: Re: noexec mount-option with selinux?
Date: Wed, 10 May 2006 07:29:19 -0400

On Wed, 2006-05-10 at 11:13 +0200, Marten Lehmann wrote:
> Hello,
> 
> I would like to mount the /tmp directory with the noexec option, so that no
> files can be executed directly from /tmp. But the problem is, that I don't
> have a separate partition for /tmp. It would be useless to create one, because
> the users on this system have strict quota limits, which wouldn't apply on a
> separate /tmp partition.
> 
> Lots of example policies only show ways to restrict certain applications. But
> is there a way to restrict access to the /tmp directory in general, too?

You can certainly not allow execute permission to *_tmp_t (the types
applied to files created in /tmp) in your policy.  In fact, most domains
should already be that way.  unconfined_t naturally can do that (since
it is unconfined); you could create a customized version of it that
isn't allowed to do that, but only via a custom policy.

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- Re: noexec mount-option with selinux?
  - From: david caplan
- Re: noexec mount-option with selinux?
  - From: Marten Lehmann

References:
- noexec mount-option with selinux?
  - From: Marten Lehmann

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]