Re: from / to /usr/: a summary
* Philipp Kern <email@example.com> [111226 12:02]:
> Sorry, but what kind of argumentation is that? If the admin doesn't notice
> reboots and/or file tampering, I could just replace the kernel with my modified
> one and reboot. Now of course you could increase your paranoia and boot the
> kernel from an immutable disc. But then I'd just load all relevant modules in
> the initramfs and set modules_disabled there instead of doing custom built
> kernels just to get rid of modules.
As you pointed out so nicely: modules_disabled is only a replacement if
you have a custom initramfs and do not allow that to be modified
automatically. So from the point of the original discussion,
modules_disabled is no solution.