Re: praise and install issues of rsbac

From: ao@morpork.shnet.org (A. Ott)
Subject: Re: praise and install issues of rsbac
Date: 20 Jan 2000 20:32:00 +0100

Next Article (by Subject): Re: praise and install issues of rsbac tech-guy
Previous Article (by Subject): praise and install issues of rsbac tech-guy
Top of Thread: praise and install issues of rsbac tech-guy
Next in Thread: Re: praise and install issues of rsbac tech-guy
Articles sorted by: [Date] [Author] [Subject]

********* ***************** ********** ****  *****   ***** ************
  To subject praise and install issues of rsbac
  tech-guy@excite.com (tech-guy)  wrote:
********** ******************** ******  ********  ******* *************

> i really like this b1 security package for linux and i have nothing but
> praise for it.  it was scary installing it and had much mistakes especially
> by not installing the admin tools prior to a reboot!  good thing i had a
> virgin kernel bootdisk laying around...
>
> i've joined the rsbac list but i could wait sending an email for help!
>
> lessee here is the install history:
> - patched the virgin 2.2.12-4 kernel w/ the 1.09path, selected everything
> except for the role switching on all models
> - did this all as root and before the reboot was getting massive segfault
> 11's and core dumps- whew!

Uh?

> - after rebooting with the sparebootdisk, read more of the docs and
> installed the admintools.  created the security officer role(uid400) and the
> dp role (uid401) but i didn't know what the tp role was for and wh
> at uid it belonged to.

Transaction Procedure admin for Privacy Model. Can be set by secoff and  
data-prot later, so I did not preselect a uid. Take e.g. 402.

> - before the next reboot, i created a maintenance kernel and fixed lilo.conf
> for multiple image selection - rebooted
> - after the reboot, ran the sample rc and acl scripts from
> /usr/src/(rs_admin_install_dir)/examples - rebooted

Well... They are not meant to be applied without knowing about the models,  
because they make the settings more complicated.

> - getting bunches of cannot read ACL on 03:08 which i found out thru
> /proc/rsbac_info was the device for hda!

NOT_FOUND messages are fine at the beginning - you should only care, if  
they reappear after having disappeared.

> - trying to run the script menu's in a plain login prompt or even in
> xwindowns in xterm as root but ended w/ a plain prompt again, no segfaults,
> no access violations, ran strace on each rsbac_menu_xxx and it had very
> small traces of process violations i think- my resolution is at 1600x1200.
> lot's of shell real estate.  read through the docs again and noticed that it
> was suggested to reexport COLUMNS and ROWS from /etc/profile but thats for
> bash and my primary login shells are tcsh for root, security officer and
> data protection officer.

As you can see in the scripts, they urgently need bash - there are quite a  
few control structures used. I never even thought about doing them again  
in tcsh ;). Try starting them from bash.

Also, you must have the dialog tool installed.

> - reboots are a little cleaner now but still getting the ACL could not be
> read on /dev/hda<root>

Don't bother now, see above.

> - i'm using the maintenance boot kernel a little too much though and it is
> becoming a crutch

Try configuring only some, not all models for first steps, e.g. RC, AUTH  
and ACL.

Amon.

--
Please remove second ao for E-Mail reply - no spam please!
## CrossPoint v3.11 ##
-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.

Go to Compuniverse LWGate Home Page.