[rsbac] todo list item

[Amon Ott]

On Freitag, 5. März 2004 08:39, Magosányi Árpád wrote:
> A levelezőm azt hiszi, hogy Amon Ott a következőeket írta:
> > I disagree here. JAIL is meant to be a fast and simple encapsulation 
for 
> > most cases. It should be strict by default (except for chroot, because 
it 
> > requires CAP_CHROOT capability) with optional exceptions. If you need a 
> > hand crafted solution, use the other modules.
> 
> I agree with you in your opinion that it should be strict by default.
> 
> But jail have features other models don't. For example the unique IP
> address of the jail. If you want that feature, you should use jail.
> But if you use jail, there are other restrictions which in some cases
> means you cannot use it. 
> So if you need one feature of jail, but blocked by another one,
> you are in trouble. This is the case with ntpd, this is my case with
> X, and I am sure that there are others out there with similar
> problematic setups.

AFAIK, the only JAIL feature not available in RC with network templates and 
ordinary chroot is the automatic adjustment of the "any" IP address 
0.0.0.0, but you can sure limit binding to only one (or more) address.

I agree that the hardwired SCD limits can be a burden, but from my 
experience they work for almost all network and many local services. The 
few percent not fitting into the scheme should rather be restricted by 
other models than making JAILs more complicated, because that would be 
against its main goal of simple usage.

X is an ugly beast, which is not easy to put into a preconfigured and 
simple jail. What exactly is missing in this case? SCD kmem access? We 
have still room for a few more flags, but SCD kmem makes me shudder.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22