On Tue, Mar 09, 2010 at 02:58:43PM -0500, Steven Bellovin wrote: > > On Mar 9, 2010, at 2:55 PM, Thor Lancelot Simon wrote: > > > > > That's a matter for the kernel to decide -- not one for some userspace > > program which could be tampered with by any process running with euid 0. > > > > At least, that is how I would strongly prefer it to be. > > But what's to stop someone from mounting a new file system over /bin? > Or are you talking about secure_level 2?
I'm talking about trying to build policies which provide some of the guarantees we only provide at securelevel 2 now, but allow more flexibility to do things the administrator's decided ahead of time the system should be allowed to do. Doing this right is not trivial (it may require a signature binding the contents of a medium to its UUID, etc.) but it's certainly not impossible either. Causing all binding of names to devices to run forcibly through a userspace daemon *will* make such enhancements impossible. That would suck. Thor
