Encrypted home directory
Bruno Wolff III
bruno at wolff.to
Tue Dec 23 08:58:12 UTC 2008
On Tue, Dec 23, 2008 at 09:27:56 +0100,
Ralf Corsepius <rc040203 at freenet.de> wrote:
> The rationale for wanting a completely encrypted system has always
> escaped me, esp. when being on a multi-user system.
Full disk encryption isn't meant to protect the system from authorized
users. It's meant to protect the system from people who get their hands
on the hardware.
To protect against other users, you probably want to use selinux. However
I don't think the current policy is great for doing this. I played with
MCS for a while and it seemed pretty cumbersome. And different use cases
are going to want to allow different levels of interaction between users,
so a one size fits all policy for compartmentalizing users might need
a lot of booleans to make it widely suitable.
A simple start would be a boolean that made it so users could not access
files that were user_home_t or user_tmp_t owned by a user different from
that of the executing process. I am not sure if this can even be done
genericly. You might need to modify the policy after each user is created.
More information about the devel
mailing list