On Tue, Oct 26, 2010 at 14:07:53 -0700, Jesse Keating jkeating@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE-----
That's only if you give root the right to disable or load new selinux policy.
And the policy is tight enough. You need to not allow root shells or most processes the ability to read the keys out of memory or to write memory that will change how things work. I don't think targeted policy is locked down enough to stop that even if you don't allow root to disble selinux.
Seriously, there are machines on the public Internet with a published root account. You're welcome to log in and try to do anything with them.
Yeah, I know about one guy that offers a root password if you ask. I am not sure what policy he is running on that machine.