Mounting an encrypted volume presents the volume to all users on a machine
Bruno Wolff III
bruno at wolff.to
Tue Oct 26 21:39:55 UTC 2010
On Tue, Oct 26, 2010 at 14:07:53 -0700,
Jesse Keating <jkeating at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> That's only if you give root the right to disable or load new selinux
> policy.
And the policy is tight enough. You need to not allow root shells or most
processes the ability to read the keys out of memory or to write memory
that will change how things work. I don't think targeted policy is locked
down enough to stop that even if you don't allow root to disble selinux.
> Seriously, there are machines on the public Internet with a published
> root account. You're welcome to log in and try to do anything with them.
Yeah, I know about one guy that offers a root password if you ask. I am
not sure what policy he is running on that machine.
More information about the devel
mailing list