Re: [PATCH] x86: Lock down MSR writing in secure boot

From: Matthew Garrett
Date: Wed Feb 13 2013 - 20:04:56 EST

On Wed, 2013-02-13 at 16:44 -0800, Casey Schaufler wrote:

> If you want that sort of granularity throw yourself on the SELinux
> bandwagon. Fine grained capabilities are insane and unmanageable
> and will only lead to tears. Security is despised because of the
> notion that making systems impossible to use is a good thing.

SELinux is completely unusable for this specific case.

Matthew Garrett | mjg59@xxxxxxxxxxxxx
èº{.nÇ+‰·Ÿ®‰­†+%ŠËlzwm…ébëæìr¸›zX§»®w¥Š{ayºÊÚë,j­¢f£¢·hš‹àz¹®w¥¢¸ ¢·¦j:+v‰¨ŠwèjØm¶Ÿÿ¾«‘êçzZ+ƒùšŽŠÝj"ú!¶iO•æ¬z·švØ^¶m§ÿðà nÆàþY&—