On Tue, Dec 23, 2008 at 09:27:56 +0100, Ralf Corsepius <rc040203@xxxxxxxxxx> wrote: > The rationale for wanting a completely encrypted system has always > escaped me, esp. when being on a multi-user system. Full disk encryption isn't meant to protect the system from authorized users. It's meant to protect the system from people who get their hands on the hardware. To protect against other users, you probably want to use selinux. However I don't think the current policy is great for doing this. I played with MCS for a while and it seemed pretty cumbersome. And different use cases are going to want to allow different levels of interaction between users, so a one size fits all policy for compartmentalizing users might need a lot of booleans to make it widely suitable. A simple start would be a boolean that made it so users could not access files that were user_home_t or user_tmp_t owned by a user different from that of the executing process. I am not sure if this can even be done genericly. You might need to modify the policy after each user is created. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
