[rsbac] my 2.4.32pre2 +rsbac oops
Murf
murf at post.cz
Mon Aug 29 10:34:43 CEST 2005
Bencsath Boldizsar wrote:
> Murf wrote:
>
>>I dont fully understand what are you doing.
>>There is no point to try to make together rsbac and grsec.
>>Try to understand that both are different projects.
>
>
> ???
> Why do You think that rsbac and grsec cannot be used paralelly? E.g. I can
> make use of the chroot extensions, proc file system protection, ip
> randomization of grsec and the role based model of rsbac.
>
You wrote you are using RBAC of GRSEC.
Does GRSEC has correct implementation of RBAC model
according to specification?
http://csrc.nist.gov/rbac/gavrila-barkley-98.pdf
http://csrc.nist.gov/rbac/jansen-ir-rbac.pdf
I would be suprised if it has. You know, RSBAC has
its own strong RC security model, so what are you using from
RSBAC if you are using RBAC from GRSEC?
Random IP id or source ports sounds good in some cases,
but afaik its in 2.6 already, so probably you are talking
about 2.4 branch. BTW. There is somewhere separate
patch for 2.4, if its the only thing that you are missing.
You can enable /proc restriction in RSBAC too.
Process can access other processes proc data
only if it has GET_STATUS_DATA right to destination
process type. What other restriction did you mean?
You can use JAIL module in RSBAC instead of chroot
and its extension from GRSEC.
Still didn't get the point of using it together.
If you are just playing with kernel patches with many rejects,
I have nothing againt it ;).
Rgds,
Murf
More information about the rsbac
mailing list