I have FCOS 37 deployed to ~100 remotely managed systems. I need to apply the noexec flag to the /var partition on these systems. I found this page Configuring Storage :: Fedora Docs which talks about how this flag might be applied to a butane config, but I cannot use this as this is can only be applied during the initial provisioning and these systems are already deployed remotely. There is no /etc/fstab file on FCOS 37, so I don’t think that the flag may be applied by editing the fstab.
How do I configure the system to mount the /var partition with the noexec flag?
I know nothing about Fedora CoreOS beyond its intersection with Silverblue, but if you did something like this from your link:
- path: /var
# We can select the filesystem we'd like.
# Ask Butane to generate a mount unit for us so that this filesystem
# gets mounted in the real root.
I’d expect you have a /etc/systemd/system/var.mount. In any case, systemctl cat /var should show you where the mount is defined.
In lieu of editing that file, you could create a drop-in: /etc/systemd/system/var.mount.d/noexec.conf:
Note that this would override any options already set in the main unit file.