noexec mount-option with selinux?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu May 11 16:01:35 UTC 2006
On Thu, 11 May 2006 16:00:54 +0200, Marten Lehmann said:
> So, how can I setup a noexec-policy for /tmp selinux that applies for
> all processes as file permissions or mount options do?
At some point, you'll have to decide whether to do A or B:
A) Build a custom SELinux policy, and maintain it as reference policy is
updated, and debug all the issues yourself.
B) Bite the bullet, and repartition with a separate /tmp (which is a good
idea even without SELinux, as it kills off a whole class of attacks using
hardlinks from /tmp to places on the root partition). Personally, I recommend
redoing the disk with LVM, and leaving a bit of unallocated space, so if your
initial guesses for partition sizes is wrong you can grow them on the fly.
My standard Fedora builds have separate /, /boot, /usr, /usr/share, /usr/local,
/var, and /tmp, all with suitably restrictive uses of 'ro', 'noexec', 'nodev',
and 'nosuid'....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060511/921941ba/attachment.sig>
More information about the fedora-selinux-list
mailing list