"The current topic of debate on the Debian-security mailing list
is about how to shield data which comes from an encrypted file. SE
Linux can protect the reading of the data from an encrypted file
that one reads from /dev/mem (for all memory of the machine) or
/proc//mem (for the memory of the process). But the logic behind is
not that uncomplicated as one may assume. There are certain domains
with the ultimate privileges in most of the SELinux configuration.
To mention a few, there is unconfined_t for a default configuration
and sysadm_t for a "strict" configuration. The USP of SE Linux is
that it doesn't mandate a domain with ultimate privileges. If a
majority of Linux users have an unconfined_t configuration and rest
have a "strict" configuration, the domain that can access /dev/mem
will always be there. The "strict" configuration can put SE Linux
in permissive mode and can access /dev/mem. Though it is uncertain
if it really works like this! But something close."
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.