noexec mount-option with selinux?

[david caplan]

On Wed, 2006-05-10 at 07:29 -0400, Stephen Smalley wrote:
> On Wed, 2006-05-10 at 11:13 +0200, Marten Lehmann wrote:
> > Hello,
> > 
> > I would like to mount the /tmp directory with the noexec option, so that no
> > files can be executed directly from /tmp. But the problem is, that I don't
> > have a separate partition for /tmp. It would be useless to create one, because
> > the users on this system have strict quota limits, which wouldn't apply on a
> > separate /tmp partition.
> > 
> > Lots of example policies only show ways to restrict certain applications. But
> > is there a way to restrict access to the /tmp directory in general, too?
> 
> You can certainly not allow execute permission to *_tmp_t (the types
> applied to files created in /tmp) in your policy.  In fact, most domains
> should already be that way.  unconfined_t naturally can do that (since
> it is unconfined); you could create a customized version of it that
> isn't allowed to do that, but only via a custom policy.
> 
Keep in mind that not every file created in /tmp gets a *_tmp_t type.
(sesearch --type -t tmp_t policy.conf)

I think this ("not allow execute permission to *_tmp_t") may be harder
than you think unless you want to restrict a single domain type.  On my
FC5 machine (with a default policy) I see almost 30 domains with execute
access on various tmp file types:
sesearch --allow -t tmp -i -p execute -c file 

I see over 30 in a strict version of the reference policy. I don't know
if the execute access is necessary, but I suspect a lot of things will
break if the access is removed.

David

(Note sesearch is part of the setools package and gives you some of the
policy searching capabilities of apol on the command line.)