Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
home [2013/09/01 23:37] 127.0.0.1 (old revision restored) |
home [2023/02/15 13:57] ao Fix git link format |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Yet Another Way To Configure DAZ ====== | + | == RSBAC 1.5.6 for kernel 6.1 == |
+ | //Wednesday, 15/Feb/2023// | ||
+ | Hi folks, | ||
- | One morning, after drinking my first cup of coffee at this day I decided to try DAZ. In handbook appeared that was required to run as root, but with the strength given by my breakfast I decided, not I will not. Here you have the result: | + | just a quick notice that RSBAC has been ported to kernel 6.1 at 5.15 state. Seems to be running fine on my test system, but please test yourself and report to the mailing list or to the bug tracker. |
- | ===== Preparation ===== | + | You get all the code at https://download.rsbac.org/latestdiff/ or through Git at git.rsbac.org/, e.g. git.rsbac.org/linux-6.1.y |
- | I'm one hardened gentoo user so I decided emerge clamav (in case you weren't you must be sure that your clamav is not compiled with --disable-clamuko). Into its configuration file (/etc/clamd.conf) I set this options in (one of them, the interesting one): | + | RSBAC has been running very well with kernel series 5.10 for a long time, so please consider 5.10 to be the best choice for now. |
- | User clamav | ||
- | __//**UM RELATED STUFF**//__ | + | == RSBAC 1.5.6 for kernel 5.15 == |
+ | //Tuesday, 09/Nov/2021// | ||
- | After setting up UM clamav user properly with (as secoff or bofh in my system): | + | Hi folks, |
- | bofh@orion~$rsbac_useradd -m -r -P -i 20 -d /adm/clamav -g 700 -u 700 | + | just a quick notice that RSBAC has been ported to kernel 5.15 at 5.10 state. Seems to be running fine on my test system, but please test yourself and report here or to the bug tracker. |
- | The user was added with its own password by separation of duties concern. | + | |
- | I proceed to configure AUTH properly: | + | In 1.5.6, found in 5.15, 5.10 and rsbac-admin Git repos, we have a new IPC target memfd, which lets memfd access be treated as IPC for easier administration. |
- | __//**AUTH RELATED STUFF**//__ | + | You get all the code at https://download.rsbac.org/latestdiff/ or through Git at git.rsbac.org/, e.g. git.rsbac.org/linux-5.15.y |
- | bofh@orion~$auth_set_cap FD add /usr/sbin/clamd 0/700 | + | RSBAC has been running very well with kernel series 5.10 for a long time, so please consider 5.10 to be the best choice for now. |
- | bofh@orion~$auth_set_cap -e FD add /usr/sbin/clamd 0/700 | + | |
- | bofh@orion~$auth_set_cap -f FD add /usr/sbin/clamd 0/700 | + | |
- | Above commands with -e and -f flags are only required if you have CONFIG_RSBAC_AUTH_DAC_OWNER in you kernel config if not omit them. | ||
- | Other question you have to keep in mind is that if you enabled CONFIG_RSBAC_AUTH_GROUP you have to add the AUTH capabilities to its group (-G -E -F flags to auth_set_cap). | + | == RSBAC for kernel 5.10 == |
+ | //Thursday, 31/Dec/2020// | ||
- | And then I start granting clamd the privileges required to work (in capabilities): | + | RSBAC is now available for kernel 5.10. So far it seems to work |
+ | fine here. Please test and report bugs to the bugtracker at | ||
+ | https://bugtracker.rsbac.org or to this list. | ||
- | __//**CAP RELATED STUFF**//__ | + | As usual, you find the latest patches at |
+ | https://download.rsbac.org/latestdiff/5.10/ | ||
+ | and the Git repo at | ||
+ | https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.10.y.git;a=summary | ||
- | In my tests, clamd needs CHOWN DAC_READ_SEARCH FOWNER SETGID and SETUID as minimal capabilities. So I grant them as minimal caps: | + | As we are heading into 2021, we wish all of you a good and successful new |
- | + | year. RSBAC development will turn 25 years old in 2021, maybe a good | |
- | bofh@orion~$attr_set_file_dir FD /usr/sbin/clamd min_caps CHOWN DAC_READ_SEARCH FOWNER SETGID SETUID | + | time for some celebration and reflection. |
- | and of course as I granted minimal caps I forbid passing LD environment variables | + | == Decision modules PAX and DAZ removed == |
+ | //Wednesday, 22/Apr/2020// | ||
+ | |||
+ | PAX and DAZ modules have been removed in latest kernel 5.4 and | ||
+ | rsbac-admin git repos. RSBAC version is now 1.5.5 to reflect that change. | ||
+ | |||
+ | == Deprecate decision modules PAX and DAZ == | ||
+ | //Tuesday, 31/Mar/2020// | ||
+ | |||
+ | PAX and DAZ support are now marked as deprecated. PaX has not been freely available for years and the Dazuko interface seems obsolete, too. For on-access malware scanning, I recommend the UDF module. | ||
+ | |||
+ | If noone protests within the next few weeks, I am going to remove the related code. | ||
+ | |||
+ | == RSBAC for kernel 5.4 == | ||
+ | //Wednesday, 27/Nov/2019// | ||
+ | |||
+ | RSBAC has been ported to kernel 5.4. Please test and report bugs to the bugtracker at https://bugtracker.rsbac.org or to this list. | ||
+ | |||
+ | As usual, you find the latest patches at https://download.rsbac.org/latestdiff/5.4/ and the Git repo at https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-5.4.y.git;a=summary | ||
+ | |||
+ | == New DokuWiki version == | ||
+ | //Monday, 14/Jan/2019// | ||
+ | |||
+ | The RSBAC Website DokuWiki version has been updated today. | ||
+ | |||
+ | Please test and report any problems! | ||
+ | |||
+ | == RSBAC ported to 4.19 == | ||
+ | //Tuesday, 30/Oct/2018// | ||
+ | |||
+ | Latest RSBAC for kernel 4.19 is now available in Git at | ||
+ | [[git://git.rsbac.org/linux-4.19.y.git]] | ||
+ | |||
+ | Diffs will start showing up at [[https://download.rsbac.org/latestdiff/]] | ||
+ | after release of 4.19.1. | ||
+ | |||
+ | Please test and report any problems! | ||
+ | |||
+ | As a side node, I will start removing old unsupported Git repositories, | ||
+ | EOL at upstream and unchanged for > 10 months, from the server soon. | ||
+ | Please tell me, if you still need them. | ||
+ | |||
+ | == Latest RSBAC patches == | ||
+ | //Wednesday, 11/April/2018// | ||
+ | |||
+ | Even though this page has not been updated for a long time, RSBAC is still under constant development and maintenance. Latest code has always been available through git. | ||
+ | |||
+ | From now on, you can also find the latest RSBAC patches for the maintained kernel versions in the [[@dl.php?file=latestdiff/|latestdiff]] download dir. | ||
+ | |||
+ | == RSBAC 1.5.0 == | ||
+ | //Tuesday, 13/September/2016// | ||
+ | |||
+ | [[:download|RSBAC 1.5.0]] has been released for kernel 4.4.20. Please drop us a note if you need support for other kernel versions. | ||
+ | |||
+ | The most important changes since 1.4.9 are the port to longterm kernel 4.4 and the new feature "Prevent memory write and execute (RSBAC mprotect)" to prevent against process memory segments being both writable and executable. This new hardening feature made me choose a new middle version number. | ||
+ | |||
+ | The change lists are here: | ||
+ | Kernel changes: | ||
+ | http://www.rsbac.org/dl.php?file=code/1.5.0/changes-1.5.0.txt | ||
+ | |||
+ | Admin tools changes: | ||
+ | http://www.rsbac.org/dl.php?file=code/1.5.0/admin-changes-1.5.0.txt | ||
+ | |||
+ | Please consider giving some feedback on the [[:contact|RSBAC mailing list]]. | ||
- | bofh@orion~$attr_set_file_dir FD /usr/sbin/clamd cap_ld_env 0 | ||
- | |||
- | ___ to be continued... soon |