[rsbac] RSBAC 1.3.0 released
Amon Ott
ao at rsbac.org
Thu Oct 12 12:42:26 CEST 2006
RSBAC 1.3.0 has been released for both kernels 2.4.33.3 and 2.6.18.
You can download the new version from http://www.rsbac.org/download
(Quick download from http://www.rsbac.org/download/quick).
Please give us a lot of feedback for this version!
Improvements over the 1.2.x series:
Speed and scalability:
- Automatic online resizing of per-list hash table to reduce access
time for large attribute lists significantly.
- Limit number of items per single list to 50000, so real limit is
at 50000 * nr_hashes.
- Optimize cases in decision modules.
- Change network templates to handle up to 25 ip networks and up to
10 port ranges.
- Change aci, acl and auth devices lists to use RCU on 2.6 kernels.
More control:
- Optionally check CHANGE_OWNER for PROCESS targets also as
CHANGE_OWNER on the new USER. This allows fine grained setuid control
also in RC and ACL models.
- Change named UNIX sockets to be new filesystem target type
T_UNIXSOCK and unnamed to be new IPC type anonunix (like FIFO target
for pipes).
- RC role def_unixsock_create_type, which overrides the
def_(ind_)fd_create_type. Default value use_def_fd.
- UM password history with configurable length to avoid password
reuse.
- New request type AUTHENTICATE against USER targets. No
authentication against RSBAC UM without this right in RC and ACL.
JAIL Module:
- More detailed JAIL decision logging for IPC and UNIXSOCK targets
with rsbac_debug_adf_jail.
- allow_parent_ipc to allow IPC into parent jail. Useful with Apache
mod_jail and others.
- add a flag to allow suid/sgid files and dirs.
Other improvements:
- Dazuko udev support.
- Hide dir entries a process has no SEARCH right for.
- Complete hook review with several small fixes.
- Add rsbac_get_switch(value_p, switchable) that returns the
module’s status (on or off) and switchable status (can turn off, back
on, ..).
- Added similar output to the proc information
(/proc/rsbac-info/active).
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list