Mounting an encrypted volume presents the volume to all users on a machine
Przemek Klosowski
przemek.klosowski at nist.gov
Tue Oct 26 21:07:46 UTC 2010
On 10/26/2010 04:05 PM, Bruno Wolff III wrote:
> On Tue, Oct 26, 2010 at 14:18:55 -0400,
> Przemek Klosowski<przemek.klosowski at nist.gov> wrote:
>>
>> Such user-differentiated authorization is provided by the filesystem
>> access rights, ACLs and SELinux attributes. Note that unlike the first
>> two mechanisms, SELinux can protect the data even for systems with
>> compromised root---as someone said, SELinux can be configured so that
>> you can tell people "here's the root password; now break into my computer".
>
> That's overstating things a bit. A root compromise is usually going to allow
> working around selinux limitations.
My point here is to distinguish between 'compromised root' and
'compromised overall system integrity'. Many (but not all) exploits are
of the first kind (get a root shell, or change your EUID to zero). Of
course the latter exploits can get around any security, as you say.
More information about the devel
mailing list