noexec mount-option with selinux?
Lamont R. Peterson
lamont at gurulabs.com
Fri May 12 02:19:13 UTC 2006
On Thursday 11 May 2006 06:26pm, Marten Lehmann wrote:
> > A) Build a custom SELinux policy, and maintain it as reference policy is
> > updated, and debug all the issues yourself.
>
> I just need a hint on how to create a system-wide policy, not just an
> application level policy. Where can I find details on this?
>
> > B) Bite the bullet, and repartition with a separate /tmp (which is a good
> > idea even without SELinux, as it kills off a whole class of attacks using
> > hardlinks from /tmp to places on the root partition).
>
> It is not a technical problem to create a separate partition. But as I
> wrote in my first email I just cannot do it, because there is no way in
> linux to have system-wide quotas. Quotas are always only valid for one
> single partition. If I have quotas on the root partition (which includes
> /home) but /tmp is on a separate partition, then the quotas of / (and thus
> /home) don't apply for /tmp. That is the only reason why I have a look at
> selinux.
>
> If you have any other idea to have the same quotas for /home and /tmp while
> /tmp doesn't allow to execute files but /home does, then please tell me.
Do something like this in fstab (obviously, you might want to do something a
little different with the mount options, but you get the idea):
/ /dev/vg0/root ext3 defaults 1 1
/home /dev/vg0/home ext3 usrquota,grpquota,nosuid 1 2
/tmp /dev/vg0/tmp ext3 usrquota,grpquota,noexec,nosuid 1 2
When you want to change the quotas or set them, run:
# setquota username block-soft block-hard inode-soft inode-hard -a
It's the -a at the end that make it set them the same for all filesystems.
You can have multiple filesystems with quotas and they can have different
values set.
However, I don't think that's what you really want. After all, it might make
sense to limit users to 100MB in their home directory, but maybe only 1MB
in /tmp/ instead. Of course, if you have both /tmp/ and /home/ on the same
filesystem, what's to stop a user with a 100MB from just using it up
in /tmp/ ? Nothing.
If the quota limits need to be as strict as your first message indicates, then
I'm surprised you haven't already had /tmp/ on a separate filesystem, with
separate quotas set. Additionally, I always split off /tmp/ so *if* it
fills, it doesn't "damage" my root filesystem.
HTH.
--
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
GPG Key fingerprint: F98C E31A 5C4C 834A BCAB 8CB3 F980 6C97 DC0D D409
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060511/09b08ca2/attachment.sig>
More information about the fedora-selinux-list
mailing list