[rsbac] todo list item
Amon Ott
ao at rsbac.org
Fri Mar 5 11:32:44 CET 2004
On Freitag, 5. März 2004 08:39, Magosányi Árpád wrote:
> A levelezőm azt hiszi, hogy Amon Ott a következőeket írta:
> > I disagree here. JAIL is meant to be a fast and simple encapsulation
for
> > most cases. It should be strict by default (except for chroot, because
it
> > requires CAP_CHROOT capability) with optional exceptions. If you need a
> > hand crafted solution, use the other modules.
>
> I agree with you in your opinion that it should be strict by default.
>
> But jail have features other models don't. For example the unique IP
> address of the jail. If you want that feature, you should use jail.
> But if you use jail, there are other restrictions which in some cases
> means you cannot use it.
> So if you need one feature of jail, but blocked by another one,
> you are in trouble. This is the case with ntpd, this is my case with
> X, and I am sure that there are others out there with similar
> problematic setups.
AFAIK, the only JAIL feature not available in RC with network templates and
ordinary chroot is the automatic adjustment of the "any" IP address
0.0.0.0, but you can sure limit binding to only one (or more) address.
I agree that the hardwired SCD limits can be a burden, but from my
experience they work for almost all network and many local services. The
few percent not fitting into the scheme should rather be restricted by
other models than making JAILs more complicated, because that would be
against its main goal of simple usage.
X is an ugly beast, which is not easy to put into a preconfigured and
simple jail. What exactly is missing in this case? SCD kmem access? We
have still room for a few more flags, but SCD kmem makes me shudder.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list