Re: 1.0.9b-pre2 uploaded

From: ao@morpork.shnet.org (A. Ott)
Subject: Re: 1.0.9b-pre2 uploaded
Date: 25 Feb 2000 11:10:00 +0100

Next Article (by Author): Re: Appropriate for webserver? ao@morpork.shnet.org (A. Ott)
Previous Article (by Author): 1.0.9b-pre2 uploaded ao@morpork.shnet.org (A. Ott)
Top of Thread: 1.0.9b-pre2 uploaded ao@morpork.shnet.org (A. Ott)
Next in Thread: Re: 1.0.9b-pre2 uploaded ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date] [Author] [Subject]

********* ***************** ********** ****  *****   ***** ************
  To subject Re: 1.0.9b-pre2 uploaded
  pollard@dns1.navo.hpc.mil (Jesse Pollard)  wrote:
********** ******************** ******  ********  ******* *************

> ao@morpork.shnet.org (A. Ott):
> ...
> >- If somebody of you has an SMP system, I would really appreciate feedback
> >  and debugging help. RSBAC does not access data on unmounted filesystems,
> >  so it should be safe to setup a test system on a separate partition.
>
> Yes I do... And I've had some problems. First a URL reference to my (our)
> system: http://www.cats-chateau.net/ (undergoing development). There
> is a section at http://www.cats-chateau.net/homenet/security/ that
> outlines the beginning of an approach to a very secured web server, but
> without assuming a bug free web server...

The name kitten.navo.hpc.mil (referenced from there) cannot be resolved  
here.

> I have installed the RSBAC patches (for 2.2.13 - not all documents have
> been updated yet), created a maintenance and secure kernel.
>
> And unfortunately, I don't have a free partition to stick it on. I do have
> a backup system partition however (I don't fully count that as a free
> partition).
>
> I booted both maintenance and secured kernels just to see what would happen;
> they both hung after reporting the "can't compeletely read..." messages.

This is sure a locking issue. What exactly was the last message that  
appeared, so we can nail the part down? What, if using kernel param  
rsbac_debug_all (Warning: loads of messages!)?

> I was wondering if the problem may be related to accepting the default
> RSBAC options.

No, definately not. You would get RSBAC logging messages with lots of  
NOT_GRANTED, if the settings were wrong.

> Specifically - should I only include the MAC and AUTH
> modules?

You can include all modules you might need, reducing to the necessary ones  
later. You should leave out Role Protection and instead use AUTH.

> Does the MAC include the compartments?

Yes, it includes all MAC stuff, e.g. MAC compartments. Or you could use RC  
model, with much more flexible separation of areas.

> I didn't locate any
> documents that talked about that, only the hang sounded like the "may not
> be able to login ..." sections. Is there a little bit more info on the
> installation procedures? The patch/compile procedures worked fine - no
> errors reported there.
>
> The hang appeared to occur at the end of the RSBAC initialization. The
> sections after that in my boot sequence are to complete the single user list
> - loading modules for filesystems, controller, network, sound card ...
> Then the multi-user startup.

S.a.: This must be a locking problem. I will recheck the spinlocks used  
during init. I would like to get those hangs fixed before releasing
1.0.9b-final. This is why I asked for SMP help.

> I'm using a Slackware 7.0 base (hence the 2.2.13 kernel).

2.2.13 is the best kernel I ever used, but I am only a UP user.

> I'm also willing to help fill out some of the documentation. That was
> part of what I was doing with the security reference, just to create some
> introductory writeups and a sample use design (as well as a light analysis
> of the security).

You are very welcome to do that.

Amon.

--
Please remove second ao for E-Mail reply - no spam please!
## CrossPoint v3.11 ##
-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.

Go to Compuniverse LWGate Home Page.