noexec mount-option with selinux?
Stephen Smalley
sds at tycho.nsa.gov
Wed May 10 12:21:55 UTC 2006
On Wed, 2006-05-10 at 07:54 -0400, david caplan wrote:
> Keep in mind that not every file created in /tmp gets a *_tmp_t type.
> (sesearch --type -t tmp_t policy.conf)
On FC5, default policy, the only types I get from that output (applied
to the installed binary policy, as there is no policy.conf) that don't
include a _tmp_t suffix are httpd_sys_script_rw_t (for files created
under /tmp by CGIs) and cardmgr_dev_t (for device nodes created by
cardmgr). Offhand, I don't see why those should be executable either.
> I think this ("not allow execute permission to *_tmp_t") may be harder
> than you think unless you want to restrict a single domain type. On my
> FC5 machine (with a default policy) I see almost 30 domains with execute
> access on various tmp file types:
> sesearch --allow -t tmp -i -p execute -c file
I tried this command on FC5, default policy, and I get 5 rules, two
based on attributes, one rule for initrc_t, and two rules for
logrotate_t. So most of the cases appear to be attribute-based, likely
one for unconfined domains and not certain about the other. Being able
to execute files from /tmp is not desirable in general.
> I see over 30 in a strict version of the reference policy. I don't know
> if the execute access is necessary, but I suspect a lot of things will
> break if the access is removed.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list