[rsbac] RSBAC 1.3.0 released

Amon Ott ao at rsbac.org
Thu Oct 12 12:42:26 CEST 2006 

RSBAC 1.3.0 has been released for both kernels 2.4.33.3 and 2.6.18.

You can download the new version from http://www.rsbac.org/download 
(Quick download from http://www.rsbac.org/download/quick).

Please give us a lot of feedback for this version!

Improvements over the 1.2.x series:

Speed and scalability:
  - Automatic online resizing of per-list hash table to reduce access 
time for large attribute lists significantly.
  - Limit number of items per single list to 50000, so real limit is 
at 50000 * nr_hashes.
  - Optimize cases in decision modules.
  - Change network templates to handle up to 25 ip networks and up to 
10 port ranges.
  - Change aci, acl and auth devices lists to use RCU on 2.6 kernels.

More control:
  - Optionally check CHANGE_OWNER for PROCESS targets also as 
CHANGE_OWNER on the new USER. This allows fine grained setuid control 
also in RC and ACL models.
  - Change named UNIX sockets to be new filesystem target type 
T_UNIXSOCK and unnamed to be new IPC type anonunix (like FIFO target 
for pipes).
  - RC role def_unixsock_create_type, which overrides the 
def_(ind_)fd_create_type. Default value use_def_fd.
  - UM password history with configurable length to avoid password 
reuse.
  - New request type AUTHENTICATE against USER targets. No 
authentication against RSBAC UM without this right in RC and ACL.

JAIL Module:
  - More detailed JAIL decision logging for IPC and UNIXSOCK targets 
with rsbac_debug_adf_jail.
  - allow_parent_ipc to allow IPC into parent jail. Useful with Apache 
mod_jail and others.
  - add a flag to allow suid/sgid files and dirs.

Other improvements:
  - Dazuko udev support.
  - Hide dir entries a process has no SEARCH right for.
  - Complete hook review with several small fixes.
  - Add rsbac_get_switch(value_p, switchable) that returns the 
module’s status (on or off) and switchable status (can turn off, back 
on, ..).
  - Added similar output to the proc information 
(/proc/rsbac-info/active).

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list