[rsbac] To-do list for 1.2.2

Amon Ott rsbac@rsbac.org
Mon Nov 18 15:57:00 2002


On Monday, 18. November 2002 14:53, Czakó Krisztián wrote:
> Idézet Amon Ott 2002. november 18. 09:18 keltezésű leveléből:
> > On Saturday, 16. November 2002 14:21, Czakó Krisztián wrote:
> > > Idézet Amon Ott 2002. november 15. 12:07 keltezésű leveléből:
> > > > To do for 1.2.2:
> > > > - Support more scanners (AVP, AntiVir) in MS module
> > > Clamav?
> > Where can I get a Linux daemon for testing?
> 
> http://clamav.elektrapro.com/

Will have a look when I revisit the MS code.
 
> > > Allow IP-list in jail, not just one IP.
> > > What I'd like to use is to allow 127.0.0.1 and one public IP in the 
jail.
> > OK, I will look into that. 127.0.0.1 (optional) and one other IP would be
> > easy, but probably not sufficient. More IPs require a list and thus a bit
> > more work.
> 
> In fact, I need 127.0.0.1 for internal IP communication between jails 
without
> the need for binding public IPs and rejecting it with netfilter from the 
Net.

OK. The 127.0.0.1 address will soon be available through another flag/switch.
 
> > > BTW, I have one small(?) problem with the jail in 1.2.1 (2.4.19):
> > > I can't use Debian fakeroot utility. It's forbidden by the JAIL module.
> > > Is it possible to allow it?
> > What exactly does not get allowed?
> 
> Fakeroot from Debian GNU/Linux 3.0 woody.
> Simple test script (test.sh):
> --- cut ---
> #!/bin/sh
> 
> id
> --- cut ---
> 
> ./test.sh runs fine.
> fakeroot ./test.sh hangs.
> Debian package building stops with error message.
> 
> RSBAC messages:
> <6>rsbac_adf_request(): request READ_OPEN, pid 30569, ppid 30568, prog_name
> faked, uid 1000, target_type IPC, tid Msg-ID 131075, attr none, value 0,
> result NOT_GRANTED by JAIL
> <6>rsbac_adf_request(): request DELETE, pid 30569, ppid 30568, prog_name
> faked, uid 1000, target_type IPC, tid Msg-ID 131075, attr none, value 0,
> result NOT_GRANTED by JAIL
> <6>rsbac_adf_request(): request DELETE, pid 30569, ppid 30568, prog_name
> faked, uid 1000, target_type IPC, tid Msg-ID 163844, attr none, value 0,
> result NOT_GRANTED by JAIL
> <6>rsbac_adf_request(): request DELETE, pid 30568, ppid 30567, prog_name
> faked, uid 1000, target_type IPC, tid Msg-ID 131075, attr none, value 0,
> result NOT_GRANTED by JAIL
> <6>rsbac_adf_request(): request DELETE, pid 30568, ppid 30567, prog_name
> faked, uid 1000, target_type IPC, tid Msg-ID 163844, attr none, value 0,
> result NOT_GRANTED by JAIL

Seems like fakeroot tried to access an IPC object outside the jail.

Just to check: Could you please retry with -i parameter to rsbac_jail 
(external IPC access)? It should work then, but with a big hole.

Amon.
--
http://www.rsbac.org