[rsbac] todo list item
Amon Ott
ao at rsbac.org
Thu Mar 4 19:59:28 CET 2004
On Donnerstag, 4. März 2004 19:29, Magosányi Árpád wrote:
> -Make _all_ jail features optional.
>
> Reason:
> Jail have some restrictions which are not feasible
> with certain setups. See:
> - Change rsbac_jail syntax to make chroot() optional
> - New JAIL flag allow_clock for ntpd encapsulation
> The problem is that jail is an arbitrary set of
> security measures, some of which can (and some
> of which should) be handled by other modules
> like RC. For any of the jail features there
> exists a setup which either impossible because
> that jail feature but needs another feature of
> jail, or can be implemented by another modell,
> which means you have implemented something
> twice unnecessary.
I disagree here. JAIL is meant to be a fast and simple encapsulation for
most cases. It should be strict by default (except for chroot, because it
requires CAP_CHROOT capability) with optional exceptions. If you need a
hand crafted solution, use the other modules.
Sure most of the functionality could be covered by the other modules, but
those take more work to setup. There is a lot of redundancy between RSBAC
models - each model might give you another approach to solve the same
problems. Together they are stronger than each single one.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list