-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2011 10:15 AM, phil wrote: > Usually Master Boot Record, but Microsoft has semi-equivalents for > their removable storage, IFS Insert File System, drivespace and > DoubleSpace, whereas the MBR is key to the partition settings for a > hard drive, similar protections can be expected to be helpful for > the partition controls for non-spinning systems. > > Using a write protected flash drive for content to prevent it's > alteration can take advantage of spanning. Yet, hardware write > blocking is usually global, but I have some Calluna controllers > that allow tailoring of the blocking and access control via > intercept of the ATA commands. > > But, gosh, that is all at least 10 years old tech. > > ----- Original Message ----- From: "Daniel J Walsh" > <dwalsh@xxxxxxxxxx> To: <selinux@xxxxxxxxxxxxxxxxxxxxxxx> Sent: > Tuesday, September 06, 2011 7:04 AM Subject: Re: Monitoring and > prevention of MBR activity. > > > On 09/06/2011 09:51 AM, Robb III, George B. wrote: >>>> Hi All- >>>> >>>> Have an interesting problem in which monitoring and >>>> preventing activity on the MBR would be very useful. >>>> >>>> Has anyone used SELinux for this type of task? >>>> >>>> Thanks for any assistance, >>>> >>>> George >>>> >>>> >>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > Maybe if I new what MBR stood for? >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > Ok now I recognize it, SELinux can be used to allow/prevent processes from writing to physical disk. For example SELinux can prevent processes including confined administrators that are running as root from writing directly to /dev/sda. The audit subsystem could be used to watch for processes writing to physical disk. (SELinux could also, but auditing does a better job. Now if you have a app/admin user process that needs to have full access to the system but want to make sure he does not modify the MBR you will have a difficult time writing policy for this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5mLrwACgkQrlYvE4MpobM8OQCgqrv1+CmDMGiAhR7d2tgLLaS8 8ygAn1LCzsCRv2sLdfSY4FMrhJXGcCbI =Rg1a -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
