Thank you for your reply. On Tue, Nov 1, 2016 at 3:45 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > If you can't get rid of root services entirely, then SELinux can extend > this protection to even root processes. You'd probably want a custom > policy from scratch for that kind of scenario; see the Android policy > for an example. A custom policy is most likely what I want... my question is... can I set up such a policy that disallows reading (and, by extension, copying) of an executable binary, and yet still be able to execute it? A related question would be: can I bake that policy immutably into the kernel so that it cannot be disabled? While I can't prevent physical access to the device, I can encrypt the kernel & rootfs (embedded as a cramfs) as a single binary blob, so I think (hope) that is as secure as my encryption key. I would also do all of the normal hardening stuff of disabling loadable modules, shutting down network services, etc... --wpd _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
