[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: noexec mount-option with selinux?



On Thursday 11 May 2006 06:26pm, Marten Lehmann wrote:
> > A) Build a custom SELinux policy, and maintain it as reference policy is
> > updated, and debug all the issues yourself.
>
> I just need a hint on how to create a system-wide policy, not just an
> application level policy. Where can I find details on this?
>
> > B) Bite the bullet, and repartition with a separate /tmp (which is a good
> > idea even without SELinux, as it kills off a whole class of attacks using
> > hardlinks from /tmp to places on the root partition).
>
> It is not a technical problem to create a separate partition. But as I
> wrote in my first email I just cannot do it, because there is no way in
> linux to have system-wide quotas. Quotas are always only valid for one
> single partition. If I have quotas on the root partition (which includes
> /home) but /tmp is on a separate partition, then the quotas of / (and thus
> /home) don't apply for /tmp. That is the only reason why I have a look at
> selinux.
>
> If you have any other idea to have the same quotas for /home and /tmp while
> /tmp doesn't allow to execute files but /home does, then please tell me.

Do something like this in fstab (obviously, you might want to do something a 
little different with the mount options, but you get the idea):

/	/dev/vg0/root	ext3	defaults 1 1
/home	/dev/vg0/home	ext3	usrquota,grpquota,nosuid 1 2
/tmp	/dev/vg0/tmp	ext3	usrquota,grpquota,noexec,nosuid 1 2

When you want to change the quotas or set them, run:
# setquota username block-soft block-hard inode-soft inode-hard -a

It's the -a at the end that make it set them the same for all filesystems.  
You can have multiple filesystems with quotas and they can have different 
values set.

However, I don't think that's what you really want.  After all, it might make 
sense to limit users to 100MB in their home directory, but maybe only 1MB 
in /tmp/ instead.  Of course, if you have both /tmp/ and /home/ on the same 
filesystem, what's to stop a user with a 100MB from just using it up 
in /tmp/ ?  Nothing.

If the quota limits need to be as strict as your first message indicates, then 
I'm surprised you haven't already had /tmp/ on a separate filesystem, with 
separate quotas set.  Additionally, I always split off /tmp/ so *if* it 
fills, it doesn't "damage" my root filesystem.

HTH.
-- 
Lamont R. Peterson <lamont gurulabs com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
GPG Key fingerprint: F98C E31A 5C4C 834A BCAB  8CB3 F980 6C97 DC0D D409

Attachment: pgp6IaOVFv72x.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]