"The current topic of debate on the Debian-security mailing list
is about how to shield data which comes from an encrypted file. SE
Linux can protect the reading of the data from an encrypted file
that one reads from /dev/mem (for all memory of the machine) or
/proc//mem (for the memory of the process). But the logic behind is
not that uncomplicated as one may assume. There are certain domains
with the ultimate privileges in most of the SELinux configuration.
To mention a few, there is unconfined_t for a default configuration
and sysadm_t for a "strict" configuration. The USP of SE Linux is
that it doesn't mandate a domain with ultimate privileges. If a
majority of Linux users have an unconfined_t configuration and rest
have a "strict" configuration, the domain that can access /dev/mem
will always be there. The "strict" configuration can put SE Linux
in permissive mode and can access /dev/mem. Though it is uncertain
if it really works like this! But something close."