Compile and install new version as usual, but with Softmode and RSBAC own logging support (see Quick install). Attention: After installing the new admin tools, you can only use the proc interface to change settings!

Reboot into new kernel with kernel parameters rsbac_softmode and rsbac_nosyslog - the system will most likely be unusable without them.

You can get at the new logging source with “cat /proc/rsbac-info/rmsg” as secoff (uid 400). If you want, you can install rsbac_klogd from admin tools contrib which essentially does the same job, but calls setuid(400) itself and logs to a file.

RC: Add IOCTL right for all roles to DEV and NETOBJ types as required - the log will tell you. It is advisable to use the new device major objects (rsbac_rc_role_menu).

RC: Add GET_PERMISSIONS_DATA and MODIFY_PERMISSIONS_DATA rights for all roles to tty devices as required - the log will tell you. It is advisable to use the new device major objects (rsbac_rc_role_menu).

RC/ACL: Add GET_STATUS_DATA and MODIFY_SYSTEM_DATA rights to the new SCD targets quota, sysctl, nfsd, ksyms and mlock as required.

RC/ACL: Add ADD_TO_KERNEL and REMOVE_FROM_KERNEL rights to the swap devices and files (DEV and FILE targets) as required.

ACL: Add IOCTL right for all subjects to DEV and NETOBJ objects as required - the log will tell you. It is advisable to use the new device major ACLs (rsbac_acl_menu).

Restart important services, e.g. sshd, and check for problematic log messages.

When the system seems to run fine without problems, reboot without softmode (you can turn off softmode with “switch_module SOFTMODE 0” and reboot later, but you should check whether the system comes up correctly ASAP).

(optional) When happy, recompile kernel without softmode and reinstall.

Report any missing items or problems to the mailing list and/or the Bugtracker (SSL).

Compile and install new version as usual, but with Softmode support (see Quick install). Attention: After installing the new admin tools, you can only use the proc interface to change settings!

Reboot into new kernel with kernel parameter rsbac_softmode.

If the system is unusable because of too many logging messages running through, enable RSBAC own log facility in RSBAC kernel configuration (if not yet there), reinstall (dito) and turn off syslog logging with rsbac_nosyslog kernel parameter. You can get at the new logging source with rsbac_klogd from admin tools contrib or “cat /proc/rsbac-info/rmsg” as secoff (uid 400).

RC: Add GET_STATUS_DATA right for all roles to NETOBJ types as required - the log will tell you (rsbac_rc_role_menu).

RC: With option “RC check access to UNIX partner process”: Add CONNECT, ACCEPT, SEND and RECEIVE rights for all roles to PROCESS types as required - the log will tell you (rsbac_rc_role_menu).

RC: With User management: Add rights for all roles to USER and GROUP types as required - the log will tell you (rsbac_rc_role_menu).

ACL: With User management: Add rights to USER and GROUP :DEFAULT: or individual users and groups as required - the log will tell you (rsbac_acl_menu).

Restart important services, e.g. sshd, and check for problematic log messages.

When the system seems to run fine without problems, reboot without softmode (you can turn off softmode with “switch_module SOFTMODE 0” and reboot later, but you should check whether the system comes up correctly ASAP).

(optional) When happy, recompile kernel without softmode and reinstall.

Report any missing items or problems to the mailing list and/or the Bugtracker (SSL).

Compile and install new version as usual, but with Softmode support (see Quick install ). Attention: After installing the new admin tools, you can only use the proc interface to change settings!

JAIL: Change all calls to rsbac_jail tool in your init scripts to the new syntax: chroot-dir and IP are now optional with -R and -I. You should consider using the new Linux capability limitation in JAIL module.

Reboot into new kernel with kernel parameter rsbac_softmode.

If the system is unusable because of too many logging messages running through, enable RSBAC own log facility in RSBAC kernel configuration (if not yet there), reinstall (dito) and turn off syslog logging with rsbac_nosyslog kernel parameter. You can get at the new logging source with rsbac_klogd from admin tools contrib or “cat /proc/rsbac-info/rmsg” as secoff (uid 400).

RC: Add GET_STATUS_DATA and MODIFY_SYSTEM_DATA right for all roles to DEV and PROCESS types as required - the log will tell you (rsbac_rc_role_menu).

ACL: Add GET_STATUS_DATA and MODIFY_SYSTEM_DATA right to DEV and PROCESS :DEFAULT: ACLs as required (rsbac_acl_menu).

MAC: “attr_set_file_dir MAC FILE mac_trusted_for_user ” is no longer supported and has been replaced with: “mac_set_trusted [switches] TYPE add/remove target user1 user2 …”

Restart important services, e.g. sshd, and check for problematic log messages.

When the system seems to run fine without problems, reboot without softmode (you can turn off softmode with “switch_module SOFTMODE 0” and reboot later, but you should check whether the system comes up correctly ASAP).

(optional) When happy, recompile kernel without softmode and reinstall.

Report any missing items or problems to the mailing list and/or the Bugtracker (SSL).