On Tue, Oct 26, 2010 at 14:18:55 -0400, Przemek Klosowski przemek.klosowski@nist.gov wrote:
Such user-differentiated authorization is provided by the filesystem access rights, ACLs and SELinux attributes. Note that unlike the first two mechanisms, SELinux can protect the data even for systems with compromised root---as someone said, SELinux can be configured so that you can tell people "here's the root password; now break into my computer".
That's overstating things a bit. A root compromise is usually going to allow working around selinux limitations.