[rsbac] LSM support removed and ported to 2.6.0-test9

Bencsath Boldizsar boldi at mail2003.etl.hu
Thu Oct 30 11:32:08 MET 2003

> The logic is simple, for every access violation, there is a setting missing.
> Add the setting and there is no violation anymore. And it guarantees that you
> provide no more access than is required.

Due to the keep it simple, stupid methodology, it is not usally needed to
do this by the rsbac kernel: simply we need some unix utilities to help
keeping rsbac settings up to date. For example, every access violation is
logged in syslog, so just enter rsbac_softmode, run the programs, parse
syslog and set the bits automatically.

The only thing I'm missing is the number of the role in the logs-> I am
unable to decide what role has been used by uid X when it made something
wrong... Amon, is it possible to turn on role logging for RC NOT_GRANTED.

anyway, here's a simple script for You to think about.
example: backurights exim
this will save all rsbac data on files in the exim debian package to a
file with a date trailing, set setuid rights to 0 to enable updating the

In detail:
secoff:backurights exim
root:apt-get install exim (new version)
secoff: sh <savedfilename-written on console by backurights>

:/home/secoff# more backurights

@A=`dpkg -L $ARGV[0]`;
$D=`date "+%Y%m%d"`;

print "#backing up $ARGV[0] at $D\n";
print F "#backing up $ARGV[0] at $D\n";
foreach $s (@A)
if (length($s)>2)
$s=~ s/\n//g;
$b=`attr_back_fd  $s`;
print F $b;
print "###setuid turning off:\n\n\n";
while ($se=<F>)
if ($se=~ /setuid/)
$se=~ s/auth_may_setuid 1/ auth_may_setuid 0/g;
print $se;
print "\n\n\n";
print "run this to restore:\n\n\nsh $f\n\n";

More information about the rsbac mailing list