Re: noexec mount-option with selinux?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2006-05-12 at 15:46 +0200, Marten Lehmann wrote:
> > When you want to change the quotas or set them, run:
> > # setquota username block-soft block-hard inode-soft inode-hard -a
> 
> But I'm looking for a clean way to do it without workarounds with selinux!
> 
> The system includes a webserver and when someone uses the fileupload of 
> PHP, then the uploaded file will be stored in /tmp. So a quota of just 1 
> MB on /tmp for every user is not enough.
> 
> > If the quota limits need to be as strict as your first message indicates, then 
> > I'm surprised you haven't already had /tmp/ on a separate filesystem, with 
> > separate quotas set.  Additionally, I always split off /tmp/ so *if* it 
> > fills, it doesn't "damage" my root filesystem.
> 
> Actually, /home is not part of the root-partition and /tmp could be a 
> symlink to /home/tmp so both can use the some quota definitions. But how 
> can I setup a system-wide policy that disallows to execute files from 
> /tmp or /home/tmp?

SELinux permission checks are pair-based checks between the process'
domain and the object type (or to be precise, triple-based, with the
security class as the third component).  They aren't analogous to inode
flags.  So you can achieve the effect of such a policy by not allowing
any process domain execute permission to any file type that can exist
in /tmp, but not in the way you describe.  

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux