Re: Re[8]: RSBAC v1.1.1 problem


From: Amon Ott <ao@rsbac.org>
Subject: Re: Re[8]: RSBAC v1.1.1 problem
Date: Tue, 17 Apr 2001 12:04:40 +0200

Next Article (by Date): Re: mysql problems - bugfix? Bencsath Boldizsar
Previous Article (by Date): ACL on soft links ? Fabrice MARIE
Top of Thread: Re[8]: RSBAC v1.1.1 problem Keith Matthews
Articles sorted by: [Date] [Author] [Subject]


On Don, 12 Apr 2001 Keith Matthews wrote:
> On Thu, 12 Apr 2001 12:17:03 +0200 Amon Ott <Amon Ott <ao@rsbac.org>> wrote:
> > There are several solutions to the version name problems, all of which do not
> > solve all requirements.
> > 
> > Reqs:
> > - RSBAC kernels need distinct version string, because modules might need
> > additional symbols
> > - The version string should only be changed, if RSBAC is enabled (reason: s.a.)
> > - If CONFIG_RSBAC is off, the resulting kernel must be original kernel
> > 
> 
> I think there is one extra here:
> 
>  - The version string must be available fully to any modules that are not
> compiled as part of the kernel compile.
>
> Admittedly these should be rare for security reasons. Indeed I cannot
> think of any other than pcmcia-cs, but there probably are around the funny
> drivers area. It would be interesting to see what Alcatel's SpeedTouch USB
> DSL modem driver makes of it.

This requirement is sure important. However, I never had problems with my REG
samples. Coould you please test your modules with pre3, when it has come out?

> > Probs:
> > - Changing EXTRAVERSION is always active, because .config gets read after
> > building full version string
> > - Modifying version string (as done now) gives dependency probs, because
> > version.h does have a dependency entry for CONFIG_RSBAC (thus the touch
> > Makefile)
> > 
> 
> i.e. it clashes with my new requirement above.
> 
> > What we could do is just add -rsbac to EXTRAVERSION and say, whoever patches in
> > RSBAC means to have it on anyway. This would also remove the dependency problem.
> > 
> 
> I eventually solved the problem along these lines by adding 'r' to the
> existing version string and commenting out the modified one in the
> makefile. All worked fine after that, card services came up, the ethernet
> driover started up, ipchains worked fine and the machine is talking to the
> rest of the network.

The Makefile has now been changed to modify EXTRAVERSION, if RSBAC is on.

Do I have to make the version change optional?
 
> I still have to understand how to control AUTH etc to do what I want but
> that is a (very) different matter.

Please ask here, if you need help.
 
> > The disadvantage is that you would have to build a standard kernel from another
> > tree, with another 70-150 MB of disk space.
> > 
> 
> <cynical mode> With minimum HDD sizes for new disks currently at 20 Gb and growing would
> that matter to many users.</cynical mode>

For me this is an important argument, because I use preconfigured
installations. The extra tree would significantly increase each(!) archive size.

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): Re: mysql problems - bugfix? Bencsath Boldizsar
Previous Article (by Date): ACL on soft links ? Fabrice MARIE
Top of Thread: Re[8]: RSBAC v1.1.1 problem Keith Matthews
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.