* Martin Ebourne <lists@xxxxxxxxxxxxx> [2006-05-12 17:19]: > On Fri, 2006-05-12 at 15:46 +0200, Marten Lehmann wrote: > > > If the quota limits need to be as strict as your first message indicates, then > > > I'm surprised you haven't already had /tmp/ on a separate filesystem, with > > > separate quotas set. Additionally, I always split off /tmp/ so *if* it > > > fills, it doesn't "damage" my root filesystem. > > > > Actually, /home is not part of the root-partition and /tmp could be a > > symlink to /home/tmp so both can use the some quota definitions. But how > > can I setup a system-wide policy that disallows to execute files from > > /tmp or /home/tmp? > > That sounds like a very hard way of doing things. And difficult to prove > correct too. > > How about: > > mkdir /home/tmp > mount -o bind,noexec,nosuid /home/tmp /tmp I don't think this will work. I just tried to do it and I could still execute files in the mounted dir. I thought that per-mountpoint noexec flags were in the kernel, but I can't find any definitive information on it and fs/namespace.c is not the best information source either. (Anyone knows why this doesn't work? It would be really neat.) The other issue here is that the user still can execute files through /home/tmp. So you should --move the dir instead of bind-mounting it. Thomas
Attachment:
signature.asc
Description: Digital signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
