noexec mount-option with selinux?
Martin Ebourne
lists at ebourne.me.uk
Fri May 12 15:18:31 UTC 2006
On Fri, 2006-05-12 at 15:46 +0200, Marten Lehmann wrote:
> > If the quota limits need to be as strict as your first message indicates, then
> > I'm surprised you haven't already had /tmp/ on a separate filesystem, with
> > separate quotas set. Additionally, I always split off /tmp/ so *if* it
> > fills, it doesn't "damage" my root filesystem.
>
> Actually, /home is not part of the root-partition and /tmp could be a
> symlink to /home/tmp so both can use the some quota definitions. But how
> can I setup a system-wide policy that disallows to execute files from
> /tmp or /home/tmp?
That sounds like a very hard way of doing things. And difficult to prove
correct too.
How about:
mkdir /home/tmp
mount -o bind,noexec,nosuid /home/tmp /tmp
Much easier, guaranteed secure.
Cheers,
Martin.
More information about the fedora-selinux-list
mailing list