[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: noexec mount-option with selinux?
- From: Stephen Smalley <sds tycho nsa gov>
- To: david caplan <dac tresys com>
- Cc: selinux-dev <selinux-dev tresys com>, fedora-selinux-list redhat com
- Subject: Re: noexec mount-option with selinux?
- Date: Wed, 10 May 2006 08:21:55 -0400
On Wed, 2006-05-10 at 07:54 -0400, david caplan wrote:
> Keep in mind that not every file created in /tmp gets a *_tmp_t type.
> (sesearch --type -t tmp_t policy.conf)
On FC5, default policy, the only types I get from that output (applied
to the installed binary policy, as there is no policy.conf) that don't
include a _tmp_t suffix are httpd_sys_script_rw_t (for files created
under /tmp by CGIs) and cardmgr_dev_t (for device nodes created by
cardmgr). Offhand, I don't see why those should be executable either.
> I think this ("not allow execute permission to *_tmp_t") may be harder
> than you think unless you want to restrict a single domain type. On my
> FC5 machine (with a default policy) I see almost 30 domains with execute
> access on various tmp file types:
> sesearch --allow -t tmp -i -p execute -c file
I tried this command on FC5, default policy, and I get 5 rules, two
based on attributes, one rule for initrc_t, and two rules for
logrotate_t. So most of the cases appear to be attribute-based, likely
one for unconfined domains and not certain about the other. Being able
to execute files from /tmp is not desirable in general.
> I see over 30 in a strict version of the reference policy. I don't know
> if the execute access is necessary, but I suspect a lot of things will
> break if the access is removed.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]