noexec mount-option with selinux?
Thomas Bleher
bleher at informatik.uni-muenchen.de
Fri May 12 18:39:13 UTC 2006
* Thomas Bleher <bleher at informatik.uni-muenchen.de> [2006-05-12 20:22]:
> * Martin Ebourne <lists at ebourne.me.uk> [2006-05-12 17:19]:
> > On Fri, 2006-05-12 at 15:46 +0200, Marten Lehmann wrote:
> > > > If the quota limits need to be as strict as your first message indicates, then
> > > > I'm surprised you haven't already had /tmp/ on a separate filesystem, with
> > > > separate quotas set. Additionally, I always split off /tmp/ so *if* it
> > > > fills, it doesn't "damage" my root filesystem.
> > >
> > > Actually, /home is not part of the root-partition and /tmp could be a
> > > symlink to /home/tmp so both can use the some quota definitions. But how
> > > can I setup a system-wide policy that disallows to execute files from
> > > /tmp or /home/tmp?
> >
> > That sounds like a very hard way of doing things. And difficult to prove
> > correct too.
> >
> > How about:
> >
> > mkdir /home/tmp
> > mount -o bind,noexec,nosuid /home/tmp /tmp
>
> I don't think this will work. I just tried to do it and I could still
> execute files in the mounted dir. I thought that per-mountpoint noexec
> flags were in the kernel, but I can't find any definitive information on
> it and fs/namespace.c is not the best information source either. (Anyone
> knows why this doesn't work? It would be really neat.)
Umm, this mailing list post explains it:
http://www.cs.helsinki.fi/linux/linux-kernel/2001-41/0082.html (plus
followup from Al Viro).
Mount seems really broken in this regard as it reports the noexec flags
in /etc/mtab.
> The other issue here is that the user still can execute files through
> /home/tmp. So you should --move the dir instead of bind-mounting it.
There's another issue here: You can't mount --move a directory that is
not a mountpoint. So if you want to guard against people accessing
/home/tmp directly, either move it to /home/secure/tmp and bind-mount it
from there (where /home/secure is mode 0000), or bind mount /home/tmp
over itself.
That means a fully working solution looks something like this:
$ mount --bind /home/tmp/ /home/tmp/
$ mount -o remount,noexec /home/tmp/
$ mount --bind /home/tmp/ /tmp/
Lesson learnt here: Test to see if you actually protect against your
threats.
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060512/1af06b15/attachment.sig>
More information about the fedora-selinux-list
mailing list