[rsbac] howto questions

Amon Ott rsbac@rsbac.org
Mon Apr 15 11:02:01 2002

On Monday, 15. April 2002 08:32, Metrix wrote:
> I am really looking forward to this howto, I was just
> wondering if setting up X will be covered, while not
> urgent, it is anoying to reboot whenever I need to use
> X.

Keith Matthews volunteered to have a look at the howtos, you might ask him 
for info on this.

As to X: In 1.2.0, you should make a new RC role with RC and ACL kmem access 
and assign it to the X server. In 1.1.2, this does not work for ACL, so if 
you have ACL, you will have to allow access for group everyone in ACL, but 
deny to others in RC.

> Out of curiosity, why when i give root permission o
> /dev/mem, i still cannot cat /dev/mem, do i have to
> give permission to /bin/cat? I know it is a bad idea,
> I am just curious...

What is in the log?

You need access to both, the device and SCD kmem.

> Furthermore, is RSBAC secure by default, eg if an
> exploit is released and an rsbac system is running
> vulnerable software, will the exploit still grant a
> shell, or will it not allow the exploit to be executed?

There is no program setup database with auto update included, but you can 
setup RSBAC in a way that exploits in a server program cannot lead to a shell.

The techniques involved are called 'Base Protection' (protecting the base 
system) and 'Service Encapsulation' (making a tight container around each 
service). They are described in more or less detail in my tutorials and 
workshops, and certainly in my dissertation.

I have just uploaded my Linux Kongress tutorial handout to give you an idea: