1 |
Am Samstag 14 November 2009 23:50:42 schrieb Alan McKinnon: |
2 |
|
3 |
> On Saturday 14 November 2009 22:46:18 Dirk Heinrichs wrote: |
4 |
> > Am Samstag 14 November 2009 16:13:04 schrieb Nikos Chantziaras: |
5 |
> > > Ever heard about make menuconfig? |
6 |
> > |
7 |
> > ??? |
8 |
> |
9 |
> The account foolishly being "prevented" from bypassing SELinux is root. |
10 |
> |
11 |
> So, configure a new kernel, disable SELinux, build, install, reboot. |
12 |
> |
13 |
> Voila! No SELinux. |
14 |
> |
15 |
> Or, |
16 |
> |
17 |
> Edit grub.conf, reboot. |
18 |
> |
19 |
> Voila! No SELinux. |
20 |
> |
21 |
> Or, (as SELinux can be used to prevent access to grub.conf) |
22 |
> |
23 |
> Just hit the damn power button and edit the kernel options in the grub |
24 |
> command line. |
25 |
|
26 |
Compile in kernel options, configure the kernel not to accept additional ones. |
27 |
Damn power button rendered useless. |
28 |
|
29 |
> Trying to prevent root from doing $STUFF on a pc is utterly and completely |
30 |
> pointless and simply will not succeed, ever. There is hardware where this |
31 |
> can be done, but it's not a PC, has no Intel designs in it and is often |
32 |
> truly secured with armed guards. |
33 |
|
34 |
This all implies physical access to the machine, right? |
35 |
|
36 |
> trying to prevent root from doing $STUFF on Unix is utterly and completely |
37 |
> pointless and simply will not succeed, ever. There are OSes where this can |
38 |
> be done, but they are not Unix. By definition, on Unix root can do |
39 |
> anything, including bypassing systems to prevent root from doing anything. |
40 |
|
41 |
SELinux allows to spread the tasks root needs to do or can do accross several |
42 |
roles. Of course, if only one single person has root access to the system this |
43 |
doesn't make sense. But we're talking about cases where several people (incl. |
44 |
the malicious attacker) have root access. So you can very well configure a |
45 |
(SE-)Linux system so that "root" can't do everything. |
46 |
|
47 |
Bye... |
48 |
|
49 |
Dirk |