Wes Hardaker wrote: >>>>>> On Thu, 21 Aug 2008 18:32:29 -0700, Bill Broadley <[EMAIL PROTECTED]> >>>>>> said: > > BB> Does your distro/kernel allow writing to memory? > > I meant protected even via root access... But SElinux should provide > this (I'm not an SELinux expert, mind you).
I meant via root. Does it work on your system by default? > BB> Not sure how you could prevent future loading of modules, or require > BB> loading only from RO media. > > You'd have to only allow loading from the RO media. Anytime you wanted > something new, you'd need to boot from something new. It'd be a pain > when you needed to change, of course. I'm not against it in principal, I just don't see how it would be practical to implement. The signed modules has an implementation, and doesn't require the reboots. But does require a module to be signed private key. So you can leave 100s of unused modules around and load them willy nilly, but still can't run a trojan module... all without having any exposure since the private key does not need to be on the system. _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
