On Thu, 11 May 2006 16:00:54 +0200, Marten Lehmann said:
So, how can I setup a noexec-policy for /tmp selinux that applies for
all processes as file permissions or mount options do?
At some point, you'll have to decide whether to do A or B:
A) Build a custom SELinux policy, and maintain it as reference policy is
updated, and debug all the issues yourself.
B) Bite the bullet, and repartition with a separate /tmp (which is a good
idea even without SELinux, as it kills off a whole class of attacks using
hardlinks from /tmp to places on the root partition). Personally, I recommend
redoing the disk with LVM, and leaving a bit of unallocated space, so if your
initial guesses for partition sizes is wrong you can grow them on the fly.
My standard Fedora builds have separate /, /boot, /usr, /usr/share, /usr/local,
/var, and /tmp, all with suitably restrictive uses of 'ro', 'noexec',
'nodev',
and 'nosuid'....