[rsbac] updating applications

Amon Ott ao at rsbac.org
Fri Dec 3 09:11:36 CET 2004

On Montag, 29. November 2004 10:40, Andrea Pasquinucci wrote:
> I would like to ask the list which startegy is most adopted for 
> applications, i.e. all software except for RSBAC, like apache etc. I 
> like to keep my software up to date as much as possible, and I check 
> daily for updates. Currently I try to follow the following approach
> 1. check for updates (possibily daily)
> 2. if there are updates continue, otherwise stop
> 3. switch down internet interface
> 4. switch to softmode (could require reboot)
> 5. shutdown, update, restart software
> 6. reinstall all/most/relevant rsbac rules
> 7. switch to secure mode (could require reboot)
> 8. up internet interface
> Any comment, smarter way ... ? I see as an alternative to switching 
> softmode, to remove the read-only flag from the files to be updated 
> then re-apply the read-only flag after the update (in some cases 
> could be a lot of work, depending on the setup obvioulsy).

You can do this in secure mode, if you have another user and RC role 
doing the update. Give the user sufficient CAP min_caps and the 
required roles for all active modules with rights to overwrite the 
programs, backup/restore RSBAC attributes and restart daemons after 
attribute restore.

Your package tools might need a fake_root setting, if they are stupid 
enough to test for uid == 0. The only problem that we encountered is 
that even some pre/post install scripts make this silly test and 
fail, because fake_root is not (yet) inherited by other programs.

If you are using FF flags in areas, which might be affected, it will 
be enough to switch FF individual softmode - with all consequences. 
RC gives you much more flexibility, though.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: signature
URL         : http://www.rsbac.org/pipermail/rsbac/attachments/20041203/ac81f167/attachment.bin

More information about the rsbac mailing list