noexec mount-option with selinux?
Marten Lehmann
lehmann at cnm.de
Fri May 12 00:26:20 UTC 2006
> A) Build a custom SELinux policy, and maintain it as reference policy is
> updated, and debug all the issues yourself.
I just need a hint on how to create a system-wide policy, not just an
application level policy. Where can I find details on this?
> B) Bite the bullet, and repartition with a separate /tmp (which is a good
> idea even without SELinux, as it kills off a whole class of attacks using
> hardlinks from /tmp to places on the root partition).
It is not a technical problem to create a separate partition. But as I wrote
in my first email I just cannot do it, because there is no way in linux to
have system-wide quotas. Quotas are always only valid for one single
partition. If I have quotas on the root partition (which includes /home) but
/tmp is on a separate partition, then the quotas of / (and thus /home) don't
apply for /tmp. That is the only reason why I have a look at selinux.
If you have any other idea to have the same quotas for /home and /tmp while
/tmp doesn't allow to execute files but /home does, then please tell me.
Regards
Marten
More information about the selinux
mailing list