:Can SELINUX Impose a Better Confidentiality Over Encryption?
Can SELINUX Impose a Better Confidentiality Over Encryption? Dec 12, 2008, 14 :04 UTC (0 Talkback[s]) (3078 reads)
"The current topic of debate on the Debian-security mailing list is about how to shield data which comes from an encrypted file. SE Linux can protect the reading of the data from an encrypted file that one reads from /dev/mem (for all memory of the machine) or /proc//mem (for the memory of the process). But the logic behind is not that uncomplicated as one may assume. There are certain domains with the ultimate privileges in most of the SELinux configuration. To mention a few, there is unconfined_t for a default configuration and sysadm_t for a "strict" configuration. The USP of SE Linux is that it doesn't mandate a domain with ultimate privileges. If a majority of Linux users have an unconfined_t configuration and rest have a "strict" configuration, the domain that can access /dev/mem will always be there. The "strict" configuration can put SE Linux in permissive mode and can access /dev/mem. Though it is uncertain if it really works like this! But something close."
