Notes about RSBAC status and behaviour


From: ao@morpork.de (Amon Ott)
Subject: Notes about RSBAC status and behaviour
Date: 06 Jun 2000 12:31:00 +0200

Next Article (by Subject): patch-2.2.17.gz for 1.0.9b released Amon Ott
Previous Article (by Subject): Re: Non-i386 arch porting / test helper Shaun Savage
Articles sorted by: [Date] [Author] [Subject]


Hi all!

Some notes:

- All recent RSBAC versions do not intercept sys_kill properly with a
  SEND_SIGNAL request. I just uploaded a new 2.2.15 patch into the pre dir
  which includes this. Please check it, MAC people please double check it,
  because signals to processes are treated as write access.
  I will not include this into all existing patches, so please tell me,
  what versions you really need. Only those will be included in the 1.0.9b
  release, which I want to get out quickly now.

- Despite older docs, ADD_TO_KERNEL never gets a FILE target. This is
  technically impossible, because the module syscalls do not tell file
  names. If you want to limit module loading to some files/dirs, use RC
  to do the following:
  - add a new role 'Module loader'
  - add a new type 'Legal modules'
  - set rc_force_role for /sbin/insmod etc. to the new role
  - disallow ADD_TO_KERNEL and REMOVE_FROM_KERNEL to target SCD-other for
    role Sysadmin
  - allow these for the new role
  - limit READ-OPEN access for the new role to the new type only (you will
    still need SEARCH for general type)
  - Change the type of your legal module dirs/files to the new type
  - if insmod etc. need library access, also give SEARCH and READ_OPEN to
    your library type (add one, if you don't have one - you will need it
    anyway for other roles)
  - Please note that your legal modules are now write protected, too. You
    will have to give role Sysadmin temporary write access for changes.

- 2.4.xx kernels will not be support in 1.0.9b release, but will be added
  later - this has already been mentioned. 2.3.99-pre4 heavily changed
  file lookup, and RSBAC needs some significant changes due to this.

- rsbac-klogd by Stanislav has been uploaded into pre dir. Please test it.


Amon.

--

-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Subject): patch-2.2.17.gz for 1.0.9b released Amon Ott
Previous Article (by Subject): Re: Non-i386 arch porting / test helper Shaun Savage
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.