how can you make files on your system immutable. By immutable, I mean even root can't delete the files if he chooses to.
SELinux can do this, as long as you reverse the question. You can setup SELinux types running as root that can not touch files on the system. The thing most people don't understand is that they need to clarify what the process "CAN DO" versus what the process "CANNOT DO". As was stated in the previous reply to this statement you can turn the file immutable but if you can make the file immutable from root, then you get no security. Similarly for SELinux, if you define a type of a process that can do everything except touch a particular file (type). Then the process could turn SELinux off and touch the file, or transition to a type that could touch the file.
@Dan Walsh, you can post your own question on SELinux and answer it for documentation! We recommend and encourage this.
To make your file immutable
# chattr +i testfile
You can only do it logged in as root. Here the +i option sets the immutable bit for the file. Once this bit is set, even root can't delete or tamper with the file.
If you want to unset the immutable flag, just run the following command:
# chattr -i testfile
You can check what are the attributes of a file by using the following command:
# lsattr testfile
----i-------- testfile
If the immutable flag is set, there will be an 'i' in the listing. This command is used by system administrators to restrict the users from changing a file in a particular way or even the administrator can by mistake delete a critical file because of a mis-typed command. But if the immutable flag is set, these mistakes can be avoided.
chattr can be used to set/unset many more file attributes. Like if you want to allow everybody to just append data to a file and not change already entered data, you can set the append bit as follows:
# chattr +a testfile
Now the testfile can only be opened in append mode for writing data. You can unset the append attribute as follows:
# chattr -a testfile
To know more about this very useful tool in the system administrator's forte, check the man page for chattr.
Block all physical access to the system. Power off the box, disconnect all cables, remove all batteries and other power supplies.
SELinux can not help here. Policy must be loaded to enable SELinux. Whatever loads policy is likely able to access the file before it loads policy.
Asked: 2011-09-29 01:52:38 -0600
Seen: 6,507 times
Last updated: Oct 02 '11
Ask Fedora is community maintained and Red Hat or Fedora Project is not responsible for content. Content on this site is licensed under a CC-BY-SA 3.0 license.
