[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: noexec mount-option with selinux?

On Wed, 2006-05-10 at 07:54 -0400, david caplan wrote:
> Keep in mind that not every file created in /tmp gets a *_tmp_t type.
> (sesearch --type -t tmp_t policy.conf)

On FC5, default policy, the only types I get from that output (applied
to the installed binary policy, as there is no policy.conf) that don't
include a _tmp_t suffix are httpd_sys_script_rw_t (for files created
under /tmp by CGIs) and cardmgr_dev_t (for device nodes created by
cardmgr).  Offhand, I don't see why those should be executable either.

> I think this ("not allow execute permission to *_tmp_t") may be harder
> than you think unless you want to restrict a single domain type.  On my
> FC5 machine (with a default policy) I see almost 30 domains with execute
> access on various tmp file types:
> sesearch --allow -t tmp -i -p execute -c file 

I tried this command on FC5, default policy, and I get 5 rules, two
based on attributes, one rule for initrc_t, and two rules for
logrotate_t.  So most of the cases appear to be attribute-based, likely
one for unconfined domains and not certain about the other.  Being able
to execute files from /tmp is not desirable in general.

> I see over 30 in a strict version of the reference policy. I don't know
> if the execute access is necessary, but I suspect a lot of things will
> break if the access is removed.

Stephen Smalley
National Security Agency

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]