[rsbac] was device 00:00

Rumen Yotov rumen_yotov at dir.bg
Sun Jul 11 07:43:46 CEST 2004 

Hi all,
For some time tried Adamantix-1.0.3, but after Gentoo also included
RSBAC and as it's my main Linux distro think i'll use Gentoo in future.
For 2-3 weeks try to use rsbac-kernel on Gentoo /hardended/.
In the beginning /rsbac-2.6.7 & 2.6.7-r1/ there were no problems. As at
this time had some unneeded options in my .config cleared it up /loaded
some things as modules, remove not used stuff - all safe/ but later i
couldn't even boot with this kernels, stops at mounting root fs.
The same new config worked with normal and grsecurity2-kernels.
A day ago saw this mail /see subject/ and tried the suggested - got some
advance.
i'm now booting till mounting local fs /must be the fstab entries/ and
again boot hangs.
Exactly the same kernel .config works with two other kernels -
grsec2-PaX-2.6.7-r2 and mm-sources-2.6.7-r6 no problem.
I've followed the docs on http://www.gentoo.org/proj/en/hardened/
even in order to to first get bootable system and later add more
features /options/, disabled PaX at all also some other things.
OT: As of 2.6.7 i also have working ACLs with reiserfs, no so till
2.6.5, but that shouldn't be a problem.
No 4K stacks /they work in the other kernels/. Problem may be the fact
i'm using genkernel /so use initrd/ unabled kernel, think i'll try
manually compiled kernel /no initrd/.
Here's part of .config:
...CUT...
#
# Rule Set Based Access Control (RSBAC)
#
CONFIG_RSBAC=y

#
# General RSBAC options
#
CONFIG_RSBAC_INIT_THREAD=y
CONFIG_RSBAC_MAX_INIT_TIME=60
CONFIG_RSBAC_PROC=y
CONFIG_RSBAC_INIT_CHECK=y
# CONFIG_RSBAC_NO_WRITE is not set
# CONFIG_RSBAC_MSDOS_WRITE is not set
CONFIG_RSBAC_AUTO_WRITE=5
CONFIG_RSBAC_DEBUG=y
# CONFIG_RSBAC_DEV_USER_BACKUP is not set
CONFIG_RSBAC_SECOFF_UID=400
CONFIG_RSBAC_INIT_DELAY=y

#
# RSBAC networking options
#
CONFIG_RSBAC_NET=y
CONFIG_RSBAC_NET_DEV=y
CONFIG_RSBAC_NET_DEV_VIRT=y
CONFIG_RSBAC_IND_NETDEV_LOG=y
CONFIG_RSBAC_NET_OBJ=y
CONFIG_RSBAC_NET_OBJ_UNIX=y
CONFIG_RSBAC_NET_OBJ_RW=y
CONFIG_RSBAC_IND_NETOBJ_LOG=y

#
# -------------------------
#
# CONFIG_RSBAC_MAINT is not set

#
# -------------------------
#

#
# Decision module (policy) options
#
CONFIG_RSBAC_REG=y
CONFIG_RSBAC_REG_SAMPLES=y

#
# -------------------------
#
# CONFIG_RSBAC_MAC is not set
# CONFIG_RSBAC_FC is not set
# CONFIG_RSBAC_SIM is not set
# CONFIG_RSBAC_PM is not set
# CONFIG_RSBAC_DAZ is not set
# CONFIG_RSBAC_FF is not set
# CONFIG_RSBAC_RC is not set
# CONFIG_RSBAC_AUTH is not set
# CONFIG_RSBAC_ACL is not set
# CONFIG_RSBAC_CAP is not set
# CONFIG_RSBAC_JAIL is not set
# CONFIG_RSBAC_PAX is not set
# CONFIG_RSBAC_RES is not set

#
# ----------------
#

#
# Softmode and switching
#
CONFIG_RSBAC_SWITCH=y
CONFIG_RSBAC_SOFTMODE=y
# CONFIG_RSBAC_SOFTMODE_SYSRQ is not set
CONFIG_RSBAC_SOFTMODE_IND=y

#
# Logging
#
CONFIG_RSBAC_IND_LOG=y
CONFIG_RSBAC_IND_USER_LOG=y
CONFIG_RSBAC_IND_PROG_LOG=y
CONFIG_RSBAC_LOG_FULL_PATH=y
CONFIG_RSBAC_MAX_PATH_LEN=512
CONFIG_RSBAC_RMSG=y
CONFIG_RSBAC_RMSG_NOSYSLOG=y

#
# ----------------
#
# CONFIG_RSBAC_LOG_REMOTE is not set
CONFIG_RSBAC_SYM_REDIR=y
CONFIG_RSBAC_SYM_REDIR_UID=y
# CONFIG_RSBAC_SYM_REDIR_RC is not set
# CONFIG_RSBAC_ALLOW_DAC_DISABLE is not set

#
# Other RSBAC options
#
# CONFIG_RSBAC_SECDEL is not set
CONFIG_RSBAC_RW=y
CONFIG_RSBAC_IPC_SEM=y
CONFIG_RSBAC_DAC_OWNER=y
CONFIG_RSBAC_PROC_HIDE=y
CONFIG_RSBAC_SYSLOG=y
# CONFIG_RSBAC_DAT_VISIBLE is not set
# CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT is not set
# CONFIG_RSBAC_USER_MOD_IOPERM is not set
# CONFIG_RSBAC_FAKE_ROOT_UID is not set
# CONFIG_RSBAC_XSTATS is not set

#
...END CUT...
Think i had to activate some modules /policy/ options or at least AUTH,
REG etc, but in this docs there are no references to such things.
Using: rsbac_softmode=1 rsbac_auth_unable_login and
rsbac_delayed_init=3:2 options in my kernel loading line /GRUB/.
PS: mounting /tmp with noexec in separate partition but this hasn't been
a problem till now.
Suggestions?
TIA.
Rumen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20040711/310988c4/attachment.bin

More information about the rsbac mailing list