home
Releases
Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
home [2013/09/01 23:37] 127.0.0.1 (old revision restored) |
home [2019/01/14 11:34] admin |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Yet Another Way To Configure DAZ ====== | + | ==== RSBAC ported to 4.19 ==== |
| + | //Tuesday, 30/Oct/2018// | ||
| + | Latest RSBAC for kernel 4.19 is now available in Git at | ||
| + | [[git://git.rsbac.org/linux-4.19.y.git]] | ||
| - | One morning, after drinking my first cup of coffee at this day I decided to try DAZ. In handbook appeared that was required to run as root, but with the strength given by my breakfast I decided, not I will not. Here you have the result: | + | Diffs will start showing up at [[https://download.rsbac.org/latestdiff/]] |
| + | after release of 4.19.1. | ||
| - | ===== Preparation ===== | + | Please test and report any problems! |
| - | I'm one hardened gentoo user so I decided emerge clamav (in case you weren't you must be sure that your clamav is not compiled with --disable-clamuko). Into its configuration file (/etc/clamd.conf) I set this options in (one of them, the interesting one): | + | As a side node, I will start removing old unsupported Git repositories, |
| + | EOL at upstream and unchanged for > 10 months, from the server soon. | ||
| + | Please tell me, if you still need them. | ||
| - | User clamav | + | ==== Latest RSBAC patches ==== |
| + | //Wednesday, 11/April/2018// | ||
| - | __//**UM RELATED STUFF**//__ | + | Even though this page has not been updated for a long time, RSBAC is still under constant development and maintenance. Latest code has always been available through git. |
| - | After setting up UM clamav user properly with (as secoff or bofh in my system): | + | From now on, you can also find the latest RSBAC patches for the maintained kernel versions in the [[@dl.php?file=latestdiff/|latestdiff]] download dir. |
| - | bofh@orion~$rsbac_useradd -m -r -P -i 20 -d /adm/clamav -g 700 -u 700 | ||
| - | The user was added with its own password by separation of duties concern. | ||
| - | |||
| - | I proceed to configure AUTH properly: | ||
| - | |||
| - | __//**AUTH RELATED STUFF**//__ | ||
| - | |||
| - | bofh@orion~$auth_set_cap FD add /usr/sbin/clamd 0/700 | ||
| - | bofh@orion~$auth_set_cap -e FD add /usr/sbin/clamd 0/700 | ||
| - | bofh@orion~$auth_set_cap -f FD add /usr/sbin/clamd 0/700 | ||
| - | |||
| - | Above commands with -e and -f flags are only required if you have CONFIG_RSBAC_AUTH_DAC_OWNER in you kernel config if not omit them. | ||
| - | |||
| - | Other question you have to keep in mind is that if you enabled CONFIG_RSBAC_AUTH_GROUP you have to add the AUTH capabilities to its group (-G -E -F flags to auth_set_cap). | ||
| - | |||
| - | And then I start granting clamd the privileges required to work (in capabilities): | ||
| - | |||
| - | __//**CAP RELATED STUFF**//__ | ||
| - | |||
| - | In my tests, clamd needs CHOWN DAC_READ_SEARCH FOWNER SETGID and SETUID as minimal capabilities. So I grant them as minimal caps: | ||
| - | | ||
| - | bofh@orion~$attr_set_file_dir FD /usr/sbin/clamd min_caps CHOWN DAC_READ_SEARCH FOWNER SETGID SETUID | ||
| - | |||
| - | and of course as I granted minimal caps I forbid passing LD environment variables | ||
| - | |||
| - | bofh@orion~$attr_set_file_dir FD /usr/sbin/clamd cap_ld_env 0 | ||
| - | |||
| - | ___ to be continued... soon | ||
home.txt · Last modified: 2024/01/11 09:51 by ao