Monitoring and prevention of MBR activity.

Daniel J Walsh dwalsh at redhat.com
Tue Sep 6 14:31:24 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2011 10:15 AM, phil wrote:
> Usually Master Boot Record, but Microsoft has semi-equivalents for
> their removable storage, IFS Insert File System, drivespace and
> DoubleSpace, whereas the MBR is key to the partition settings for a
> hard drive, similar protections can be expected to be helpful for
> the partition controls for non-spinning systems.
> 
> Using a write protected flash drive for content to prevent it's 
> alteration can take advantage of spanning.  Yet, hardware write
> blocking is usually global, but I have some Calluna controllers
> that allow tailoring of the blocking and access control via
> intercept of the ATA commands.
> 
> But, gosh, that is all at least 10 years old tech.
> 
> ----- Original Message ----- From: "Daniel J Walsh"
> <dwalsh at redhat.com> To: <selinux at lists.fedoraproject.org> Sent:
> Tuesday, September 06, 2011 7:04 AM Subject: Re: Monitoring and
> prevention of MBR activity.
> 
> 
> On 09/06/2011 09:51 AM, Robb III, George B. wrote:
>>>> Hi All-
>>>> 
>>>> Have an interesting problem in which monitoring and
>>>> preventing activity on the MBR would be very useful.
>>>> 
>>>> Has anyone used SELinux for this type of task?
>>>> 
>>>> Thanks for any assistance,
>>>> 
>>>> George
>>>> 
>>>> 
>>>> -- selinux mailing list selinux at lists.fedoraproject.org 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> Maybe if I new what MBR stood for?
>> -- selinux mailing list selinux at lists.fedoraproject.org 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

Ok now I recognize it,  SELinux can be used to allow/prevent processes
from writing to physical disk.  For example SELinux can prevent
processes including confined administrators that are running as root
from writing directly to /dev/sda.

The audit subsystem could be used to watch for processes writing to
physical disk.  (SELinux could also, but auditing does a better job.

Now if you have a app/admin user process that needs to have full
access to the system but want to make sure he does not modify the MBR
you will have a difficult time writing policy for this.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mLrwACgkQrlYvE4MpobM8OQCgqrv1+CmDMGiAhR7d2tgLLaS8
8ygAn1LCzsCRv2sLdfSY4FMrhJXGcCbI
=Rg1a
-----END PGP SIGNATURE-----

More information about the selinux mailing list