Re: MAC trivial question...


From: Fabrice MARIE <fabrice@celestix.com>
Subject: Re: MAC trivial question...
Date: Wed, 30 Aug 2000 12:56:45 +0800

Next Article (by Date): Re: MAC trivial question... Amon Ott
Previous Article (by Date): Re: colorizer and MAC trivial question... Amon Ott
Next in Thread: Re: MAC trivial question... Amon Ott
Articles sorted by: [Date] [Author] [Subject]


Hi !

On Tue, 29 Aug 2000, you wrote:
> > Enhancements of this conf file, etc.. are welcome!!
> Interesting. I will have a closer look.

Thank you.

> > As a normal user, I cannot su. The MAC module deny su to change owner
> > from 501 to 0. Can anyone explain slowly how can I change this ?
> You are not allowed to change owner to an ID, whose security level you do
> not dominate. E.g, if 501 has sec_level 0 and root 252, this is not
> allowed. If 501 also had 252, it would work. Without this restriction, the
> security classification could be violated.
> You find the code in rsbac/adf/mac/mac_main.c, lines 1109-1134. You could
> change the returning of NOT_GRANTED to a warning message.

Ok, I understand better now. Thanks.

> > MAC is still very problematic for me. I'm still learning slowly :)
> I don't use it myself, because it is too restrictive and does not fit well
> into the Linux world.

It's very restrictive yes. But I find it useful in some configurations.
But not on my notebook of course ! hehehe.

> BTW, Stanislav has some patches to make MAC work better under Linux.
> Chris, where are your patches?

However, with some patches to make it more linux-friendly ... mmmh .. patches ??
Stanislav, would you mind sending your patches ? I think there is an interesting peace of
work to make MAC more usable in the linux world.
I guess, if we do so though, it would be less secure .. at least in theory ? am I wrong ? Amon ?

I had a look at the competition (medusa and lids for instance) and I still prefer rsbac,
for it's design and usability. However .. I found a couple of nice stuff in them that (I think)
are not integrated in rsbac. Volunteers ?

from medusa:  you can set-up some bobby-traps. Say for example the user runs ifconfig,
you can configure medusa to run exit or logout instead of ifconfig only for some users.
Very strict policies are one thing, having some fun with script-kiddies is interesting as well.
Seriously, most of the script kiddies would stop attacking you if you bother them a bit on your system.

openwall:  they have a patch to have a non-executable stack, the patch does other stuff as well...
does it work nicely with rsbac ? Have anyone used those patches ? Is it configurable extensively (like rsbac is) ?
I'm thinking that it would be nice to add those feature in rsbac .. not at all to replace rsbac with these toys.

What do you think ?
Fabrice.
-- 
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): Re: MAC trivial question... Amon Ott
Previous Article (by Date): Re: colorizer and MAC trivial question... Amon Ott
Next in Thread: Re: MAC trivial question... Amon Ott
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.