On 5 January 2015 at 07:47, Enrico Weigelt, metux IT consult < [email protected]> wrote:
> On 05.01.2015 00:40, Jude Nelson wrote: > > >> In VAX/VMS there was a feature that could in theory be useful, > >> though I've never seen it actually used. Fila permissions could > >> forbid the root user from reading the file. This might be useful > >> for dire secrets. Even the sysadmin couldn't back up that file. > > > > I think for some applications (like dealing with medical records), this > > is a legal requirement. > > No, certainly not (I'm currently working in than area) - that's just > misinterpretation. Instead you'll need clear access control rules, > mich might have to prevent _operators_ from accessing certain data. > In that case, operators wont have root access. > That answer is just plain wrong. There are several areas where there are significant legal requirements around disallowing the concept of a root / UID 0 user to have overriding access. Please be advised that SELinux was built by the NSA *specifically* to be able to meet these legal requirements. Think Government, Finance, Defense, Intelligence, Law Enforcement, Medical. Yes, this is first-hand, practical knowledge. Stating that there is no legal requirement anywhere for restricting access to information only to a certain group of users is .... funny .... On Unix/Linux, root / pid 0 can do everything, by definition. (not even > capabilities / selinux really can stop this). Again, this is incorrect. It is not only possible to do this with SELinux, it is one of the stated design goals. A good example is here: http://www.coker.com.au/selinux/play.html read the FAQ. Note that there are even stricter (read: more correct) implementations. There are also commercial solutions that achieve this: https://www.trustifier.com/kse/#!overview and others like it, for example Raytheon also do similar products. Configuring SELinux with a MLS/BLP model https://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model is how to achieve the "go on, be root/UID0, you wont be allowed to do the things you are not allowed to do" setup. Good luck
_______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
