[rsbac] todo list item

Amon Ott ao at rsbac.org
Thu Mar 4 19:59:28 CET 2004

On Donnerstag, 4. März 2004 19:29, Magosányi Árpád wrote:
> -Make _all_ jail features optional.
> Reason:
> Jail have some restrictions which are not feasible
> with certain setups. See:
> - Change rsbac_jail syntax to make chroot() optional
> - New JAIL flag allow_clock for ntpd encapsulation
> The problem is that jail is an arbitrary set of
> security measures, some of which can (and some
> of which should) be handled by other modules
> like RC. For any of the jail features there
> exists a setup which either impossible because
> that jail feature but needs another feature of
> jail, or can be implemented by another modell,
> which means you have implemented something
> twice unnecessary.

I disagree here. JAIL is meant to be a fast and simple encapsulation for 
most cases. It should be strict by default (except for chroot, because it 
requires CAP_CHROOT capability) with optional exceptions. If you need a 
hand crafted solution, use the other modules.

Sure most of the functionality could be covered by the other modules, but 
those take more work to setup. There is a lot of redundancy between RSBAC 
models - each model might give you another approach to solve the same 
problems. Together they are stronger than each single one.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list