noexec mount-option with selinux?

Thomas Bleher bleher at informatik.uni-muenchen.de
Fri May 12 18:39:13 UTC 2006 

* Thomas Bleher <bleher at informatik.uni-muenchen.de> [2006-05-12 20:22]:
> * Martin Ebourne <lists at ebourne.me.uk> [2006-05-12 17:19]:
> > On Fri, 2006-05-12 at 15:46 +0200, Marten Lehmann wrote:
> > > > If the quota limits need to be as strict as your first message indicates, then 
> > > > I'm surprised you haven't already had /tmp/ on a separate filesystem, with 
> > > > separate quotas set.  Additionally, I always split off /tmp/ so *if* it 
> > > > fills, it doesn't "damage" my root filesystem.
> > > 
> > > Actually, /home is not part of the root-partition and /tmp could be a 
> > > symlink to /home/tmp so both can use the some quota definitions. But how 
> > > can I setup a system-wide policy that disallows to execute files from 
> > > /tmp or /home/tmp?
> > 
> > That sounds like a very hard way of doing things. And difficult to prove
> > correct too.
> > 
> > How about:
> > 
> > mkdir /home/tmp
> > mount -o bind,noexec,nosuid /home/tmp /tmp
> 
> I don't think this will work. I just tried to do it and I could still
> execute files in the mounted dir. I thought that per-mountpoint noexec
> flags were in the kernel, but I can't find any definitive information on
> it and fs/namespace.c is not the best information source either. (Anyone 
> knows why this doesn't work? It would be really neat.)

Umm, this mailing list post explains it:
http://www.cs.helsinki.fi/linux/linux-kernel/2001-41/0082.html (plus
followup from Al Viro).
Mount seems really broken in this regard as it reports the noexec flags
in /etc/mtab.

> The other issue here is that the user still can execute files through
> /home/tmp. So you should --move the dir instead of bind-mounting it.

There's another issue here: You can't mount --move a directory that is
not a mountpoint. So if you want to guard against people accessing
/home/tmp directly, either move it to /home/secure/tmp and bind-mount it
from there (where /home/secure is mode 0000), or bind mount /home/tmp
over itself.

That means a fully working solution looks something like this:
$ mount --bind /home/tmp/ /home/tmp/
$ mount -o remount,noexec /home/tmp/
$ mount --bind /home/tmp/ /tmp/

Lesson learnt here: Test to see if you actually protect against your
threats.

Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060512/1af06b15/attachment.sig>

More information about the fedora-selinux-list mailing list