On Wed, 2006-05-10 at 11:13 +0200, Marten Lehmann wrote: > Hello, > > I would like to mount the /tmp directory with the noexec option, so that no > files can be executed directly from /tmp. But the problem is, that I don't > have a separate partition for /tmp. It would be useless to create one, because > the users on this system have strict quota limits, which wouldn't apply on a > separate /tmp partition. > > Lots of example policies only show ways to restrict certain applications. But > is there a way to restrict access to the /tmp directory in general, too? You can certainly not allow execute permission to *_tmp_t (the types applied to files created in /tmp) in your policy. In fact, most domains should already be that way. unconfined_t naturally can do that (since it is unconfined); you could create a customized version of it that isn't allowed to do that, but only via a custom policy. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
