On Thu, 11 May 2006 16:00:54 +0200, Marten Lehmann said: > So, how can I setup a noexec-policy for /tmp selinux that applies for > all processes as file permissions or mount options do? At some point, you'll have to decide whether to do A or B: A) Build a custom SELinux policy, and maintain it as reference policy is updated, and debug all the issues yourself. B) Bite the bullet, and repartition with a separate /tmp (which is a good idea even without SELinux, as it kills off a whole class of attacks using hardlinks from /tmp to places on the root partition). Personally, I recommend redoing the disk with LVM, and leaving a bit of unallocated space, so if your initial guesses for partition sizes is wrong you can grow them on the fly. My standard Fedora builds have separate /, /boot, /usr, /usr/share, /usr/local, /var, and /tmp, all with suitably restrictive uses of 'ro', 'noexec', 'nodev', and 'nosuid'....
Attachment:
pgpfGsDF5kx5C.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
