[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: noexec mount-option with selinux?

From: Martin Ebourne <lists ebourne me uk>
To: fedora-selinux-list redhat com
Subject: Re: noexec mount-option with selinux?
Date: Fri, 12 May 2006 16:18:31 +0100

On Fri, 2006-05-12 at 15:46 +0200, Marten Lehmann wrote:
> > If the quota limits need to be as strict as your first message indicates, then 
> > I'm surprised you haven't already had /tmp/ on a separate filesystem, with 
> > separate quotas set.  Additionally, I always split off /tmp/ so *if* it 
> > fills, it doesn't "damage" my root filesystem.
> 
> Actually, /home is not part of the root-partition and /tmp could be a 
> symlink to /home/tmp so both can use the some quota definitions. But how 
> can I setup a system-wide policy that disallows to execute files from 
> /tmp or /home/tmp?

That sounds like a very hard way of doing things. And difficult to prove
correct too.

How about:

mkdir /home/tmp
mount -o bind,noexec,nosuid /home/tmp /tmp

Much easier, guaranteed secure.

Cheers,

Martin.

Follow-Ups:
- Re: noexec mount-option with selinux?
  - From: Thomas Bleher

References:
- noexec mount-option with selinux?
  - From: Marten Lehmann
- Re: noexec mount-option with selinux?
  - From: Valdis . Kletnieks
- Re: noexec mount-option with selinux?
  - From: Marten Lehmann
- Re: noexec mount-option with selinux?
  - From: Lamont R. Peterson
- Re: noexec mount-option with selinux?
  - From: Marten Lehmann

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]