On Thursday 11 May 2006 06:26pm, Marten Lehmann wrote: > > A) Build a custom SELinux policy, and maintain it as reference policy is > > updated, and debug all the issues yourself. > > I just need a hint on how to create a system-wide policy, not just an > application level policy. Where can I find details on this? > > > B) Bite the bullet, and repartition with a separate /tmp (which is a good > > idea even without SELinux, as it kills off a whole class of attacks using > > hardlinks from /tmp to places on the root partition). > > It is not a technical problem to create a separate partition. But as I > wrote in my first email I just cannot do it, because there is no way in > linux to have system-wide quotas. Quotas are always only valid for one > single partition. If I have quotas on the root partition (which includes > /home) but /tmp is on a separate partition, then the quotas of / (and thus > /home) don't apply for /tmp. That is the only reason why I have a look at > selinux. > > If you have any other idea to have the same quotas for /home and /tmp while > /tmp doesn't allow to execute files but /home does, then please tell me. Do something like this in fstab (obviously, you might want to do something a little different with the mount options, but you get the idea): / /dev/vg0/root ext3 defaults 1 1 /home /dev/vg0/home ext3 usrquota,grpquota,nosuid 1 2 /tmp /dev/vg0/tmp ext3 usrquota,grpquota,noexec,nosuid 1 2 When you want to change the quotas or set them, run: # setquota username block-soft block-hard inode-soft inode-hard -a It's the -a at the end that make it set them the same for all filesystems. You can have multiple filesystems with quotas and they can have different values set. However, I don't think that's what you really want. After all, it might make sense to limit users to 100MB in their home directory, but maybe only 1MB in /tmp/ instead. Of course, if you have both /tmp/ and /home/ on the same filesystem, what's to stop a user with a 100MB from just using it up in /tmp/ ? Nothing. If the quota limits need to be as strict as your first message indicates, then I'm surprised you haven't already had /tmp/ on a separate filesystem, with separate quotas set. Additionally, I always split off /tmp/ so *if* it fills, it doesn't "damage" my root filesystem. HTH. -- Lamont R. Peterson <lamont@xxxxxxxxxxxx> Senior Instructor Guru Labs, L.C. [ http://www.GuruLabs.com/ ] GPG Key fingerprint: F98C E31A 5C4C 834A BCAB 8CB3 F980 6C97 DC0D D409
Attachment:
pgpSOW0UrO2K1.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
