On Fri, 2006-05-12 at 15:46 +0200, Marten Lehmann wrote: > > When you want to change the quotas or set them, run: > > # setquota username block-soft block-hard inode-soft inode-hard -a > > But I'm looking for a clean way to do it without workarounds with selinux! > > The system includes a webserver and when someone uses the fileupload of > PHP, then the uploaded file will be stored in /tmp. So a quota of just 1 > MB on /tmp for every user is not enough. > > > If the quota limits need to be as strict as your first message indicates, then > > I'm surprised you haven't already had /tmp/ on a separate filesystem, with > > separate quotas set. Additionally, I always split off /tmp/ so *if* it > > fills, it doesn't "damage" my root filesystem. > > Actually, /home is not part of the root-partition and /tmp could be a > symlink to /home/tmp so both can use the some quota definitions. But how > can I setup a system-wide policy that disallows to execute files from > /tmp or /home/tmp? SELinux permission checks are pair-based checks between the process' domain and the object type (or to be precise, triple-based, with the security class as the third component). They aren't analogous to inode flags. So you can achieve the effect of such a policy by not allowing any process domain execute permission to any file type that can exist in /tmp, but not in the way you describe. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
