Am Samstag 14 November 2009 23:50:42 schrieb Alan McKinnon: > On Saturday 14 November 2009 22:46:18 Dirk Heinrichs wrote: > > Am Samstag 14 November 2009 16:13:04 schrieb Nikos Chantziaras: > > > Ever heard about make menuconfig? > > > > ??? > > The account foolishly being "prevented" from bypassing SELinux is root. > > So, configure a new kernel, disable SELinux, build, install, reboot. > > Voila! No SELinux. > > Or, > > Edit grub.conf, reboot. > > Voila! No SELinux. > > Or, (as SELinux can be used to prevent access to grub.conf) > > Just hit the damn power button and edit the kernel options in the grub > command line.
Compile in kernel options, configure the kernel not to accept additional ones.
Damn power button rendered useless.
> Trying to prevent root from doing $STUFF on a pc is utterly and completely
> pointless and simply will not succeed, ever. There is hardware where this
> can be done, but it's not a PC, has no Intel designs in it and is often
> truly secured with armed guards.
This all implies physical access to the machine, right?
> trying to prevent root from doing $STUFF on Unix is utterly and completely
> pointless and simply will not succeed, ever. There are OSes where this can
> be done, but they are not Unix. By definition, on Unix root can do
> anything, including bypassing systems to prevent root from doing anything.
SELinux allows to spread the tasks root needs to do or can do accross several
roles. Of course, if only one single person has root access to the system this
doesn't make sense. But we're talking about cases where several people (incl.
the malicious attacker) have root access. So you can very well configure a
(SE-)Linux system so that "root" can't do everything.
Bye...
Dirk
signature.asc
Description: This is a digitally signed message part.
